It's a Trap!
Somebody in Brunei Darussalam has it in for you. And you aren't making friends in Belarus or Nicaragua, either. Even Bobby Fisher can catch a break in Iceland--but you can't.
Network security company Netcraft has identified these as some of the exotic locales most likely to broadcast those phishing e-mails that try to scare you and your customers into giving up bank, PayPal or other sensitive information. Servers in those locations also host the copycat web pages used in a scary variation on phishing--pharming.
No longer content to hook victims one spam at a time, phishers are reinvesting their ill-gotten gains in programming techniques that harvest hundreds or thousands of identities within hours or days. The best known is DNS server cache poisoning--basically, switching internet street signs. Type in a legitimate bank or e-commerce address, and you might get routed to a copycat site that asks for unwarranted personal information and infects your PC with a Trojan that can broadcast your whole network's keystrokes to hackers located anywhere from Rhode Island to Romania. But that's the hard way to pharm.
There are many easier ways to compromise business networks and websites, warns Christopher Faulkner, CEO of web hosting company CI Host. These include various blends of phishing, pharming and good, old-fashioned virus attacks.
For starters, those Trojans have already marshaled thousands of infected PCs into robot networks, or botnets, which can be used for a variety of scams. There's phishing and spyware/adware distribution, of course. But they can also pharm the PC owners, help overwhelm a website's security during a DNS poison and be used as substitute DNS servers. The goal isn't to destroy anymore, it's to get inside your network to harvest sensitive information from employees who feel safe behind the company firewall.
One way to get that first login ID is to set up an evil twin Wi-Fi network near a public hot spot or business park. One Michigan trio snatched the Wi-Fi log-on of a hardware-chain employee, then set up phony login pages on the company network to harvest the other information needed to alter the credit card server. They only got busted when police spotted a strange glow coming from their laptops out in the store's parking lot.
These man-in-the-middle attacks often demonstrate astounding combinations of creativity and chutzpah--both online and off. One suspected Russian mafia member added an extra slot to a Boston-area ATM to record bank card information while videotaping customers' keystrokes from afar.
Increasingly, pharmers don't risk selling or using the identities they steal, says Gary Morse, president of Razorpoint Security Technologies--they threaten companies they've compromised with public exposure if payments aren't made to offshore bank accounts. While seldom reported, cyber-extortion is rife, says Morse, with victims including sites pretty far down the revenue chain.
The reason that Third World servers are so popular, according to Netcraft, is that "unscrupulous hosting locations in Asia and the former Soviet Union sell bulletproof hosting" and will fend off attempts to identify perpetrators. A good botnet provides a similar level of anonymity, says Morse, and can earn extra cash distributing adware and spyware.
What separates pharming from all prior types of hacks is that it doesn't require the participation of the victim. "You don't have to be 'socially engineered' to be victimized," says Faulkner, "although it certainly helps."
Another problem is that there doesn't seem to be a technical solution to DNS cache poisoning short of re-architecting the worldwide DNS system. While we may wish for autonomous hardware or software solutions to pharming, presently, the best defense seems to be constant vigilance and employee training.
Sounds hackneyed, but it's still advice honored in the breech. A recent Computing Technology Industry Association survey of 489 IT professionals revealed that, for all their security tools and expertise, 40 percent had been hacked in the last six months. Even then, half still had no plans to codify security policies or train employees.
But there are a few things you can do to reduce your risk of being pharmed while surfing financial and e-commerce sites. There are also a few ways to tighten up your e-commerce website. Most are pretty technical and can vary by hardware configuration, though, so they're best deployed in conjunction with a security audit of your network.
Yup, it's a small world, after all. And current security tools are not quite enough to keep you safe while navigating it. Be careful out there.
Staying Out of Pharm's Way
Limit your exposure when visiting financial or e-commerce sites.
- No legitimate financial site will ever ask you to "verify" personal information. When in doubt, phone your bank using a number you trust.
- Before logging in, click a couple of links on a home page to make sure it isn't a facade.
- Spoof web pages often include spelling, grammatical or page-layout errors.
- Highlight normal-looking blocks of text to reveal words or phrases turned into images to fool security scans.
- Make sure login pages are encrypted. Addresses should begin with "https," and the padlock at the bottom of your browser should be locked.
- Double-click that padlock to make sure the site's security certificate is registered to the company you intended to visit.
- Up-to-date Windows and security software can keep you from being enlisted in a botnet.
- Block images and HTML, set browser security to "medium" or higher to limit active scripting and unintended program downloads, and never click suspicious e-mail links.
- Use Wi-Fi network encryption and sniffers like Trend Micro PC-cillin to find alien networks within range.
- Install the Netcraft browser toolbar for phishing addresses to avoid.
- Anti-Phishing Working Group, SANS Internet Storm Center and Websense Security Labs offer phishing/pharming updates.
Mike Hogan is Entrepreneur's technology editor.