A few weeks ago, we took our first look into Pharming. We saw some basics about how it can be accomplished and detected. Let’s now take a bit of a deeper dive into the technical aspects that drive it and start talking in more detail about how we can detect and mitigate these types of attacks.
But before we discuss the details of how these attacks work, it is important to understand how a computer obtains an IP address (which is used to actually initiate a connection to a website) from the domain within a URL (such as https://login.mybank.com/online/login.html). When a Web user attempts to navigate to a site, their computer can determine an IP address by either consulting a local file of defined mappings, called a hosts file, or by consulting a DNS server on the internet.
Image source: http://www.technicalinfo.net/papers/Pharming2.html
Under normal use, a user navigates to a URL. The user's computers sends the requested domain (1) to the DNS server and receives back a corresponding IP address (2). Then the user's computer initiates a connnection to the company or bank's web server at that IP address (3).
One way to pharm users involves modification of the hosts file on a user’s computer, which is what we’ll focus on for today. A hosts file is a local file on most computers that can be used to tell a computer how to resolve specific hosts to IP addresses without consulting outside DNS servers. These files live in various locations depending on your operating system and are usually (nearly) blank on ordinary users’ computers, so almost all requests for a typical user are sent to external DNS servers.
Attackers can place malicious entries in users’ hosts files either manually (which requires some sort of access to the machine) or by infecting them with malware capable of modifying the file. This is a bit of a double-edged sword for a malicious actor: on the one hand, it requires individual users to be infected rather than sweeping up hundreds or thousands of users at once with a poisoned DNS server (more on that in my next post); on the other hand, compromised PC hosts files could remain compromised indefinitely and provide greater long term returns.
What can organizations do to reduce risks posed by hosts file pharming attacks? Well, the hosts files being targeted are on end user PCs -- outside the typical organization's sphere of control. That makes the attacks difficult to see, much less mitigate. Here are some recommendations for institutions concerned about hosts file pharming attacks targeting their customers:
- Make sure your customers are using anti-malware software and periodically remind them to keep it up-to-date. Hosts file pharming most frequently relies on malware to enable the attack.
- Educate your customers on safe browsing behavior and the basics of phishing, malware infection, and account security. Most online threats facing everyday internet users can be avoided by simply not clicking on a link or opening an attachment.
- Evaluate your visibility into online threats outside your network and make sure you’re aware of what banking Trojans may be targeting your customers. These malware threats may have the capability to carry out hosts file phishing.
- Develop an action plan for responding to a malware-initiated pharming threat. Think about how you might become aware of the threat, what demographic of customers might be hardest hit, how your call center might be impacted, how security and customer service should react, and what measures could secure compromised accounts and stop the threat. You don't want to be figuring these things out "on the fly."
- Have a layered anti-fraud strategy that spans detection and mitigation of external threats (such as pharming) as well as fraudulent activity monitoring across systems within your environment.
For individuals, here are some basic recommendations that will help protect against hosts file pharming attacks (as well as many other online threats):
- Never ignore an update. Turn on automatic updates for your browsers, operating system, Flash, Java, everything you can. Secunia makes a great tool that runs in the background, checks all of your software for updates, and provides easy one-click update capabilities. Applying software updates means patching security holes, and hopefully preventing pharming malware from taking hold in the first place.
- Install, update, and routinely use an antivirus engine on every system you use, no exceptions. Do not assume that your computer is safe because of your choice of operating system, browser, browsing habits, etc. Most of the free ones are just as good as the paid ones for average users. Just make sure you’re installing a reputable one and not one of the scareware versions.
- Never ignore a warning from your browser. If your browser is telling you there’s something wrong with a page or a security certificate, make sure you understand what’s happening before entering sensitive information.
- Check your hosts file occasionally to look for any entries that look off. If you are unsure, do a little Googling – you don’t need to be a genius to decode what’s in a typical file.
- If you really want to feel safe, you can actually use your hosts file to force resolution of your bank’s domain to a particular, known-good IP address. This is overboard for most people (and can lead to problems, for instance if you make a mistake in your hosts file or if the bank changes its server address) and if you feel like this is necessary, you’ve probably already done it. But if you feel comfortable adding hosts file entries, this is an extra layer of security that can be employed.
In the next post, I’ll take a look at pharming that’s accomplished by DNS poisoning, and explore how you can better protect your customers.