International Journal of Advance Engineering and Research Development. What is Pharming?

Size: px

Start display at page:

Download "International Journal of Advance Engineering and Research Development. What is Pharming?"

Lesley Warner
5 years ago
Views:

Scientific Journal of Impact Factor (SJIF): 4.72 International Journal of Advance Engineering and Research Development Volume 4, Issue 10, October -2017 What is Pharming? Dr.

1 Scientific Journal of Impact Factor (SJIF): 4.72 International Journal of Advance Engineering and Research Development Volume 4, Issue 10, October What is Pharming? Dr. LatikaKharb 1, Mandeep Yadav 2 Associate Professor 1, Student 2, Jagan Institute of Management Studies (JIMS), Delhi, India. e-issn (O): p-issn (P): INTRODUCTION:- Pharming is a cyber-attack by which hacker install malicious code on personal computer or server, redirect a website traffic to another without their knowledge or consents. This is also called Phishing without a lure.it occurs when hackers locate vulnerabilities in DNS software and by rearranging the host file on the target computer.the term Pharming is neologism based the word farming and phishing. Phishing is a type of social engineering attack to obtain access credentials like username, password. Now a year, both phishing and pharming is used. Now a day for online identity theft both pharming and phishing is used. The most popular pharming targeted website are online banking and e-commerce websites. Due to lack of security administration, Desktop are also vulnerable to pharming threads.pharming and phishing threads have been used simultaneously and these can cause the most potential for online identity theft. Unfortunately, anti-virus software is incapable of protecting against these types of cybercrime.pharming attack will redirect the victim to the fake website even though victim enter the correct website address.for Example, the victim intends to access so, he/she writes the right URL to the browser, The URL still be but he/she surf the fake website instead. HISTORY By, 2003, phishing attack became a popular cybercriminal. The problem with Phishing attack is that hacker convinced the target victim to click on the fake website link to enter the information. With the increase the popularity of phishing attack, people come up with the ideas how to overcome from the phishing attack.so, cybercriminals came up with a new form of phishing. Pharming is just like phishing and it is invisible to the victim. As users come to know how to overcome phishing attack, pharming is made that irrelevant. In September 2004, first known pharming attack is seen in Germany where a teenagergained control over ebay.de Domain. In January 2005, A pharming attack was known take place in New York, where ISP(Panix.com) was hijacked through pharming attack. In worldwide, 50 different kind of financial institution were found to be suffered from the farming attack in February 2007.There is a tremendous increase in number of pharming attack case in past few years. Moreover, there were 398 reports in 2010, 511 in 2011 and within just the first half last years. There were over 1000 reports of pharming.a number of fraud and identical theft has been caused due to pharming attack. PHARMING V/S PHISHING Delivering a high quality reliable product is the main focus in any software development. In today's society, advances in technology have provided us higher levels of technical knowledge through the invention of different devices and thus made our life easier. However, each innovation has the potential of some hidden threats to its users like theft of private and/or personal data and/or information. In the mobile age, where personal information is available via multiple points of entry, there are a number of ways for hackers to get to someone s information like name, phone number, address, credit card numbers, bank account information or even their personal files. Pharming is a cyber-attack that redirecting websites traffic to another. It can be done either by changing the host filename or manipulating of a victim computer or exploiting a DNS server software to change the logic behind a DNS i.e., DNS cachepoisoning. How DNS work is that domain name such as is a keyed into the web address bar and get redirecting to a string of number such as If the logic is change it can redirect traffic to a different string of number, which leads to malicious websites such as without knowing the visitor. Phishing is a form of social engineering in which an attacker attempts to fraudulently acquire sensitive information from a victim by impersonating a trustworthy third party, which could be a person or a reputed business in an electronic communication. Phishing is the attempt to obtain the sensitive information by deceiving the user , ads etc. Phishing attack is done through spoofing or messaging and it lead users to enter the personal information at fake website. The interface of the fake website is identical to the real website, the only difference is the URL of the website. The hackers send out the large number of messages and it look likes that they are from real source These two terms Pharming and Phishing might be confused as they are related to online practice to sale goods, access the personal information. Pharming attack uses techniques like social engineering known as DNS poisoning. ISP may be compromised making the connection to the internet vulnerable and phishing attack is also uses social engineering to deceive personal All rights Reserved 712

required. The Hosts file, residing by default on every Microsoft Windows system, contains domain/ip address information, which overrides DNS name resolution.

2 HOW PHARMING WORKS The pharming works get completed in one of two ways: modification of host file or by taking advantages of DNS service. Modification of host file The Hosts file is an old method of resolving domain names to IP addresses when DNS services are either not available or when slight adjustments to resolved addresses are required. The Hosts file, residing by default on every Microsoft Windows system, contains domain/ip address information, which overrides DNS name resolution. So, all an attacker has to do is drop a small script on a desktop, modify the Hosts file, and abracadabra, the user is thenceforth directed to one or more sites of the attacker s choice. Let s step through an example on a Windows XP SP2 system. The hosts file is located in the same place on all current versions of Windows, shown in Figure 1. Hosts is a text file WITHOUT an extension. Adding an extension causes Windows to ignore the file on bootup Hosts ships with content designed to assist administrators, as shown in Figure 2. Note the entries are similar to host address resource records in DNS. To demonstrate how this works, we chose to redirect google.com to fiu.edu. We started by pinging fiu.edu and entering the IP address returned into the hosts file along with the as shown in Figure All rights Reserved 713

After we saved the file (with no extension), we flushed the resolver cache by entering ipconfig /flushdns at a command prompt. This performed two tasks.

3 After we saved the file (with no extension), we flushed the resolver cache by entering ipconfig /flushdns at a command prompt. This performed two tasks. First, it removed all cached name resolution records from the test machine. Second, it loaded the contents of the hosts file into the resolver cache. Since the resolver cache is checked before a Windows system sends a DNS query, will always resolve to the adventuresinsecurity IP address. To test, we closed and reloaded Microsoft IE7 and entered in the address space. As it can be seen in Figure 4, we were directed to fiu.edu instead of google.com. If an attacker placed this entry, he or she would likely redirect me to a page, which looked exactly like the actual site. Applications at the substitute site could then perform various tasks, including enlisting the redirected system into a botnet. Default access to the Hosts file is read/execute for all users except local admin. As long as your users are not logging in and browsing the Web as local administrators, this type of attack will be troublesome for black hat hackers. But there is another way. Black hats do not have to gain access to the local Hosts file to redirect users to malicious sites. Recent discoveries about DNS vulnerabilities make resolver cache poisoning at the server level a real possibility, especially if DNS service providers have not patched or properly configured their servers. Poisoned cache entries can potentially redirect all systems requesting name resolution to malicious All rights Reserved 714

4 DNS poisoning. DNS cache poisoning consists of changing or adding records in the resolver caches, either on the client or the server, so that a DNS query for a domain returns an IP address for an attacker s domain instead of the intended domain. To demonstrate how this might work, let s step through Figure 5. Step 1: The resolver checks the resolver cache in the workstation s memory to see if it contains an entry for Farpoint.companyA.com. Step 2: Having found no entry in the resolver cache, the resolver sends a resolution request to the internal DNS server. Step 3: When the DNS server receives the request, it first checks to see if it s authoritative. In this case, it isn t authoritative for companya.com. The next action it takes is to check its local cache to see if an entry for Farpoint.companyA.com exists. It doesn t. So, in Step 4 the internal DNS server begins the process of iteratively querying external DNS servers until it either resolves the domain name or it reaches a point at which it s clear that the domain name entry doesn t exist. Step 4: A request is sent to one of the Internet root servers. The root server returns the address of a server authoritative for the.com Internet space. Step 5: A request is sent to the authoritative server for.com. The address of a DNS server authoritative for the companya.com domain is returned. Step 6: A request is sent to the authoritative server for companya.com. This is identical to the standard process for an iterative query with one exception. A cracker has decided to poison the internal DNS server s cache. In order to intercept a query and return malicious information, the cracker must know the transaction ID. Once the transaction ID is known, the attacker s DNS server can respond as the authoritative server for companya.com. Although this would be a simple matter with older DNS software (e.g. BIND 4 and earlier), newer DNS systems have build-in safeguards. In our example, the transaction ID used to identify each query instance is randomized. But figuring out the transaction ID is not impossible. All that s required is time. Group 6 EEL4789 U01 Dr. Alexander Pons 12 To slow the response of the real authoritative server, our cracker uses a botnet to initiate a Denial of Service (DOS) attack. While the authoritative server struggles to deal with the attack, the attacker s DNS server has time to determine the transaction ID. Once the ID is determined, a query response is sent to the internal DNS server. But the IP address for Farpoint.companyA.com in the response is actually the IP address of the attacker s site. The response is placed into the server s cache. Step 7: The rogue IP address for Far point is returned to the client resolver. Step 8: An entry is made in the resolver cache, and a session is initiated with the attacker s site. At this point, both the workstation s cache and the internal DNS server s cache are poisoned. Any workstation on the internal network requesting resolution of Farpoint.companyA.com will receive the rogue address listed in the internal DNS server s cache. This continues until the entry is deleted. Another method used to poison a DNS cache is the use of a recursive query sent by the All rights Reserved 715

5 The query can force the target server to connect to the authoritative source of the domain in the query. Once connected, rogue information about one or more domains might be sent to the querying server and posted to the server s cache. Potential Consequences of Cache Poisoning Pharming is the primary risk associated with cache poisoning. Crackers employ pharming for four primary reasons (Hyatt, 2006): identity theft, distribution of malware, dissemination of false information, and man-in-the-middle attacks. Identity Theft Once an attacker gets you to his site, he ll try to trick you into leaving behind information he can use to impersonate you. One way to do this in our first example is to create a site identical to the real Farpoint.companyA.com. When the user connects using the poisoned cache information, she might be fooled into entering information about herself through apparently legitimate requests for her name, social security number, address, etc. Distribution of Malware Another of objective of attackers using cache poisoning is the automatic distribution of malware. Instead of releasing malicious code into the Internet and realizing random results, the use of rogue IP addresses to redirect unsuspecting users to the attacker s site can be a more focused attack vector. Once a workstation initiates a session with the malicious site, malware is uploaded to the workstation without intervention by or the knowledge of the user. Dissemination of False Information This aspect of pharming is useful to attackers who want to spread self-serving information about an organization. It s also been used to manipulate stock prices in an attempt to realize a large profit. Man-in-the-middle Attack In this attack type, the workstation initiates a session with the attacker s server. The attacker s server initiates a session with the actual target site. All information flowing between the workstation and the genuine site passes through and is intercepted by the cracker s server. There can be serious consequences when security is an afterthought during the configuration and deployment of DNS servers. The next section provides guidelines that can help prevent cache poisoning Protecting Your Assets The first layer of defense against cache poisoning is the use of the latest version of DNS. DNS based on BIND 9.3.x or Microsoft Windows Server 2003 is far more secure than DNS implemented with earlier versions. Successful completion of our first poisoning example would have been more difficult, because these systems also randomize the port used for the DNS query in addition to the transaction ID. Recursive queries should be limited to internal DNS servers. If Internet facing recursive queries are required, only queries from internal addresses should be accepted. This will help prevent outside systems from sending queries with malicious intent. The following list provides additional guidance (Hyatt, 2005): Physically separate external and internal DNS servers Restrict zone transfers to authorized (secondary servers) devices Use TSIG to digitally sign zone transfers and zone updates one of the best ways to prevent poisoning is to force identification of the sending authoritative source Restrict dynamic DNS updates when possible Hide the version of BIND being used on the DNS servers Remove unnecessary services running on the DNS servers Where possible, use dedicated appliances instead of multi-purpose servers How to mitigate Pharming attack Use an anti-virus program which protects you from unauthorized alterations of the Host file is one way. Also, you should regularly patch your operating system and the installed software. More sophisticated pharming attacks target the DNS server which is usually handled by Internet Service Providers (ISPs). In such a scenario, a user has few options at hand to handle the risk and he can do little against it, except using trustworthy DNS servers. Most browsers & security software today are capable of alerting users when landing at Pharming and Phishing sites. As such, a user should always remain vigilant while divulging details about financial accounts. Whenever in doubt, communicate using a secure network and do not reveal your credentials or any other requested information. Precautions that can be taken to prevent Pharming 1. Use a trusted, legitimate Internet Service Provider: Rigorous security at the ISP level is your first line of defense against pharming. Internet service providers (ISPs) are working hard on their end to filter out pharmed All rights Reserved 716

6 2. Better Antivirus software: Install an antivirus program on your Windows PC that does the right job for you. It is a good practice to buy an anti-virus system from a trusted security software provider to reduce your exposure to pharming scams. 3. Keep computer updated: Get into the habit of downloading the latest security updates (or patches) for your Web browser and operating system to stay protected. Use a good secure web browser always. 4. Double-check the spelling of a website: In most cases, it is observed that the attacker obscures the actual URL by overlaying a legitimate looking address or by using a similarly spelled URL. So, always check the Web browser s address bar to make sure the spelling is correct. 5. Check URL: Check the URL of any site that asks you to provide personal information. Make sure your session begins at the known authentic address of the site, with no additional characters appended to it. But it is important to remember that your browser may display the legitimate URL, but you will not be on the legitimate server. 6. Check the certificate: It takes few minutes if not seconds to verify if a website page you ve opened in the browser is legitimate or not. To check, go to File in the main menu and select Properties. Alternatively, you can right-click your mouse anywhere on the browser screen and, select Properties option. From the menu that pops up, click on Certificates and check if the site carries a secure certificate from its legitimate owner. 7. Check the HTTP address: It is the safest and easiest practice to follow. When you visit a page where you re asked to enter personal information, the HTTP should change to https. The s stands for secure. This post will show you the difference between HTTP and HTTPS. 8. Look for Padlock: A locked padlock, or a key, indicates a secure, encrypted connection and an unlocked padlock, or a broken key, indicates an unsecured connection. So, always look for a padlock or key on the bottom of your browser or your computer taskbar. REFERENCES 1. Hyatt, M. (2005, June). Five steps to minimize DNS cache poisoning. Retrieved March 14, 2006; 2. Kharb L, Proposing a Comprehensive Software Metrics for Process Efficiency: International Journal of Scientific & Engineering Research, Volume 5, Issue 9, September Microsoft TechNet (2005, January). How DNS query works. Retrieved March 14, B Bhagat, L Kharb. Phishing and Its Indian Perspective. The Internet Journal of Medical Informatics Volume 3, Number Kharb L, Biometric Personal Data Security Systems: Trustworthy Yet? International Journal of Recent Engineering Research and Development (IJRERD) Volume No. 01 Issue No. 06, ISSN: PP Author Dr. Latika Kharb is currently working as Associate Professor in JIMS, Rohini, New Delhi, INDIA. She has got work experience of more than 14 years in teaching. She is a Technical reviewer/ Editor/Board of Refree (BoR) / Chair person, member of Board of Referees/ Reviewer for numerous International Journals She has written more than 60 Research Publications besides the review articles in various International & National Conferences/Workshops/ Training Programs. She has got 9 Professional International Awards for her Academic Excellence. Her research areas include: Software Metrics, Software Testing, Artificial Intelligence, Cyber Laws, and Bioinformatics to Access Biological Database & Gene Identification, Mobile Computing, Computer Forensic Science, Nanotechnology, Cyber Medicine & Dentistry, Autonomic Software Systems and many more. Mr. Mandeep Yadav is student scholar currently Graduated in B.C.A, currently doing Master of Computer Applications from Guru Gobind Singh Indraprastha University, New Delhi, India. Interested in android and takes coaching All rights Reserved 717

3.5 SECURITY. How can you reduce the risk of getting a virus?

3.5 SECURITY. How can you reduce the risk of getting a virus? 3.5 SECURITY 3.5.4 MALWARE WHAT IS MALWARE? Malware, short for malicious software, is any software used to disrupt the computer s operation, gather sensitive information without your knowledge, or gain