Hackers get tricky with pharming

Posted by: Digital Geek

Hackers get tricky with pharming - 05/23/05 09:18 AM

Criminals have once again improved their techniques for identity theft. In general, e-mail users have become too informed and sophisticated. At least, they're more sophisticated than hackers would like. I guess even hackers see diminished returns with old products like phishing schemes.

Phishing schemes use e-mail to make you volunteer your personal information. The e-mail might ask you to confirm your information for some shipment. Or it might ask you to update your information for online banking. The phishing lure is a link to a fraudulent site, made to look legitimate. The spoofed site actually belongs to a criminal. It happily accepts all the information that you unknowingly surrender.

Reputable companies will never request confidential information via e-mail. And smart e-mail users don't open spam or click links in their messages. They enter Web addresses directly into their browsers. But when people get smart, hackers get creative.

The latest threat: Pharming

Hackers' new scheme has been dubbed pharming. Pharming doesn't need a Web link to lure you into a spoofed site. It doesn't even need to bother with a deceptive e-mail message. And it will take you to wrong or spoofed sites even if you type in Web addresses yourself.

Pharming is a hack of the domain name system (DNS). DNS translates domain names into IP addresses. Simplified, DNS listings read something like, "www.google.com=207.142.131.236." The IP numbers are the actual Web site addresses. We use the www convention (for example, http://www.undergroundnews.com) because it is easy to remember. DNS listings are maintained on servers.

In pharming, crooks hack a DNS computer and introduce false IP addresses. This misinformation spreads when other DNS servers request information from the tainted computer. One hacked server can spread false numbers to numerous other computers. You could type in http://www.google.com but get a completely different site. You might be redirected to advertising or an obscene site. Worse, you could end up giving information to a spoofed banking site.

What can you do to protect yourself? Not much. Internet authorities have to protect the DNS system. But if you try to go to a financial site, for instance, and it doesn't look right, close it. Call the company and ask if everything is OK. These changes are often made by foreign criminals. So the grammar and spelling often are creative.

Pharming can also affect your own computer. Your computer keeps a crib sheet of DNS listings in the HOSTS file. This is your computer's first stop after you type an address. But it's usually empty unless you enter listings yourself.

A virus or spyware can fill your HOSTS file with false IP addresses. This could be attractive to hackers for a couple reasons. First, your computer is easier to hack than a DNS server. Second, you're not a big company with teams of security problem solvers.

Protect yourself

Your best defense against pharming is good security software. This includes a firewall and anti-virus and anti-spyware programs. If infections can't touch your computer, they can't write to your HOSTS file. Also, many security suites can spot suspicious HOSTS file listings.

Then again, it may be too late for prevention. Your computer could have been infected before you invested in security. In that case, your HOSTS file could hold false information. Hackers can insert addresses of popular security sites like McAfee or Symantec. They can be made to refer to false IP addresses. Once that happens, your security software will contact the wrong sites. The software won't be able to get updates to protect you.

To stop this, you'll have to access your HOSTS file. Go to Windows Explorer. Follow the path of C:\Windows\System32\Drivers\Etc. There you'll find the HOSTS file.

Double-click the HOSTS file to open it. Windows will ask you to select a file to open HOSTS. Double-click Notepad.

Your HOSTS file includes brief instructions for entering DNS listings. It also mentions comments. Notice that each line of the brief introduction includes the comment symbol #. The symbol marks lines that will be ignored when your computer uses the file. Any lines without the symbol are DNS listings. The first listing must be "127.0.0.1 localhost." That listing refers to your own computer.

All other listings are suspect, unless you added them or downloaded a custom HOSTS file. Delete suspicious listings. Then click File>>Save. Close the HOSTS file. As soon as you've done that, update your security software. With proper updates, it should protect you from similar attacks.

To be extra-cautious, make your HOSTS file read-only. Find your HOSTS file again and right-click it. Select Properties from the pop-up menu. Mark the checkbox labeled Read-only. Then click OK.

I know all this is a lot of work. But think of all the work hackers are putting into pharming. You can get smart and stay on top of this.

SOURCE