Pharming as well as Phishing

In presenting the Sixth Law I talked about new emerging identity attacks that are like phishing but don't require the user to respond to an email. Now eWeek tells us that Scott Chasin, CTO at MX Logic, has started calling these attacks “pharming.” Great word.

Chasin expects this first-generation phishing to move toward pharming, which involves Trojans, worms, or other technology that attack the browser address bar. Thus, when users type in a “valid” URL they are redirected to the criminals’ Web sites.

Another way to accomplish the same thing is to attack the DNS system rather than individual machines. Do this and conceivably everyone who enters what seems like a valid URL—the one that worked properly moments before—will instead be taken to the scammer's site.

Scott sent writer David Coursey a list of pharming-like attacks that have already taken place.

These include an incident last November, when Google and Amazon users were sent to “Med Network,” an online pharmacy. The Troj Banker A/j worm, seen last November and December, watched for users to visit specific banking sites and then grabbed the personal information entered there for use by the criminal pharmers.

Depending on how you look at it, a less-criminal incident involved the March 2003 hijacking of the Al-Jazeera site by the “Freedom Cyber Force Militia” using DNS poisoning. The message viewers received: “God bless our troops.”

In talking about the inevitability of this type of attack, I have said:

Of course our usual immediate reaction to this type of problem is to find the most expedient single thing we can do to fix it. In the example just given, the response might be to write a new “safe address bar”. And who am I to criticise this, except that in the end, the proliferation of address bars makes things worse. By inventing one, we have unintentionally made possible the new exploit of getting people to install an address bar with evil intent built right into it. Further, who now can tell which address bar is evil and which one is not?

So we shouldn't be surprised that David's article concludes:

There are remedies for the pharming problem. A simple solution that works in some cases is a browser plug-in from Netcraft that displays information about the site being visited, such as its geographic location. If you notice that your mortgage company's site is being served from somewhere in the former Soviet Union, you can safely assume the worst.

But for those following the conversation here, who are attempting to understand how identity can work predictably across the entire internet, it is clear that threats like pharming and phishing must fundamentally shape the contours of the system, as expressed in the sixth and seventh laws of identity.

Published by

Kim Cameron

Work on identity.

One thought on “Pharming as well as Phishing”

Comments are closed.