The new way thieves attack your computer

The Basics

There's a new twist on 'phishing' scams: 'pharming.' You type in a legitimate Web address but get directed to a bogus site that steals your data.

By Christian Science Monitor

"The pharmers are coming! The pharmers are coming!" Hang warning lanterns all over the Internet: It's under attack by a new scam.

For two years users have been hearing about "phishing," the sending of bogus e-mails -- allegedly from a bank or other online business -- by criminals who hope to hook the unwary. Those who bite by clicking on a hyperlink in the e-mail are shipped off to a phony but authentic-looking Web site and asked to enter sensitive information. If they type in their passwords or account numbers, thieves get that data.

Now phishers have been joined by "pharmers," who make the ruse more sophisticated by planting a seed of malicious software in the user's own computer -- or poisoning servers that direct traffic on the Internet. The result: You type in the correct address of a Web site, but the software sends you to a bogus one.

"It's a rapidly growing threat, and one we've been seeing a lot more discussion about" among Internet security experts and people in the banking industry, says Lance Cottrell, founder and president of Anonymizer Inc. in San Diego, an Internet privacy and security firm. Phishing attacks "rely on some gullibility of and participation by the victims," Cottrell says, since they must be persuaded to click on a link within the e-mail. But not clicking on such links "is no protection against a pharming attack."

Here's how the scam works.

The thieves rely on the fact that the word address you use, such as www.my-bank.com, is connected to a distinct numerical address, like a browser to the right Web site. Pharming replaces the number with a fraudulent one, sending you to a criminal site instead of the real one.

Besides keeping antivirus and antispyware programming up to date on their PC, users have few other ways to defend themselves from pharming.

But any site that conducts financial transactions should be able to maintain a secure Web site, Internet security experts say. The corner of the browser should display a padlock symbol, and the address in the address bar should begin with "https," not simply "http."

Are you being scammed?
To determine if you're at the real site, click on the lock symbol and make sure it displays the address you expect, says Mikko Hyppönen, chief research officer of F-Secure, an Internet security company in Helsinki, Finland.

Another kind of pharming, sometimes called "domain spoofing," "domain poisoning" or "cache poisoning," attacks the servers that route traffic around the Internet. These so-called domain-name system (DNS) servers also link the word address to its underlying numerical address.

To corrupt a DNS "takes significantly more expertise, more access" than attacking PCs, says Peter Cassidy, secretary-general of the Anti-Phishing Working Group, which has offices in Cambridge, Mass., and Menlo Park, Calif. That's why thieves first will try to get into individual computers.

"They're the low-hanging fruit," he says. But "they'll try anything that works." Some servers are hard to crack, he says, but others don't keep their defenses up-to-date.

Unlike the traditional landline telephone system, which was built from the outset to be a commercial enterprise, the Internet was designed to make sharing of information between scholars and researchers fast and easy, not to secure financial transactions.

"It was built in a laboratory by guys who knew each other and married each other's sisters," Cassidy says. Now new layers of security continually must be added, as criminals probe for weak points.

Spreading fraud
The Anti-Phishing Working Group reports that the number of new phishing messages rose by an average 38% per month in the last six months of 2004.

And pharming was one of the top five Internet scams in March 2005, says a recent report from the National Cyber-Forensics & Training Alliance, a nonprofit arm of the Direct Marketing Association. Internet fraud in general, which includes phishing and pharming, cost merchants $2.6 billion in 2004, $700 million more than in 2003, according to CyberSource, which processes Internet financial transactions.

Gone 'phishing'

"Phishing" means sending out official-looking e-mails to tempt users to visit a bogus Web site and type in personal or financial data. Here are key points from a March report:

Since July 2004, the number of Web sites linked to the scam rose an average 28% a month.

The United States hosted a third of the phishing sites - more than any other nation - followed by China (12%) and South Korea (9%).

Financial services are the most frequent target, with 4 of 5 phishers appropriating the brand of a bank or some other financial institution.

Such sites only last an average 5.8 days before they're taken down.

A new version of the scam - "pharming" -- plants malicious software on PCs to direct users to bogus sites.

While Cassidy has seen some disturbing pharming attack reports from Britain, "we haven't seen it taking over the universe," he says. "We have seen significant attacks, but not rapid proliferation, partly because it does take a little more expertise."

One pharming technique is to flood the DNS server with messages to trick it into saving false information that will send users to a phony site, Cottrell says. "Then in many cases (the criminals) try to bounce you back to the real bank's Web site, so that you're not aware that anything has happened."

Phishers and pharmers set up their fake Web sites for only a few days or even a few hours, then move on before they can be found out.

Cottrell's company, Anonymizer, runs all its clients' Internet traffic through its own secure DNS servers, which he says can protect clients from pharming.

Keyboard trouble
But even if crooks can't get at your PC or the DNS server, they can always hope that you just can't spell.

F-Secure discovered recently that a malicious Web site had been set up at www.googkle.com, just one keystroke away from the famous http://www.google.com/ site. Users who accidentally went to the site using the popular Internet Explorer browser immediately were inundated with spyware, adware and other malicious software that tried to secretly load itself onto their PCs.

Before long, the site had disappeared. But Hyppönen still warns people not to try to visit it out of curiosity. "These things sometimes pop up again," he says.

The technique isn't new. Similar attack sites have been created just a slip of the finger away from sites such as CNN.com, AOL.com and MSN.com, Hyppönen says.

The people behind the malicious sites can be anywhere from South Korea to Brazil to Russia. The PC operating the site could be "somebody's grandmother's computer in Canada" being remotely controlled without her knowledge, he adds.

Source: Anti-Phishing Working Group

Feedback Help