Thursday, June 14, 2007

Phishing and Pharming

I work at a startup. It should come as no surprise that I think we do some very cool things. About a year ago, our Marketing VP realized that we had the ability to offer protection against a certain type of attack.

She created this product.

We’re still often asked, “What are Phishing and Pharming?" Here is my response:

Phishing and Pharming are common attack methodologies designed to harvest authentication credentials and personally identifying information (PII). Criminals use these attack methods to gain unauthorized access to financial, e-commerce, health care or other institutions. The attackers then sell, trade, or use these stolen identities to commit further compromises. Over 90% of these attacks target financial institutions.[1] Ultimately, these identity thefts result in billions in damages from these institutions. [2]

Phishing attacks begin with an email or instant message, the “lure” which tricks the victim into giving up their identity. Common Phishing attacks succeed 3-5% of the time, more advanced techniques like Spear-Phishing achieve 15% success rates.[3] A study at the Indiana University indicated that Phishing attacks that utilize social networks might achieve success rates as high as 70%. [4]

Pharming attacks do not require a lure or any voluntary action from a user. With Pharming, the attacker compromises the network infrastructure of the victim web site. Pharming attacks are typically not detectable by the victim and may go unnoticed for hours or even days. The bank customer almost never detects these attacks and once they are detected, the victim financial institutions are notorious for not disclosing their costs. With clever construction a Pharming attack can achieve more than an 80% success rate.

Pharming is a collection of several old and new attack techniques including: DNS or domain hijack, DNS cache poisoning, Man-in-the-Middle (MITM), script injection, malware seeding and related site attacks involving cross-site scripting (XSS), frames, pop-ups and numerous other exploits of the user’s browser. In March of 2005, one Pharming attack diverted 1,304 domains and harvested over 7,000 victims in only a few hours.[5] More recently a sophisticated Pharming attack targeted 50 financial institutions -- this attack affected at least 1,000 systems per day.[6]

Protecting against these attacks[7]
Phishing is a form of social engineering, preventing these attacks requires a combination of user education and implementation of technologies to make it easier for potential victims to recognize fraudulent sites.

Pharming attacks start with an exploit against the network and application infrastructure of a web site. Financial institutions should perform the following actions to protect against Pharming:
  • Protect your entire site with SSL; educate users to look for the padlock
  • Monitor your domain and DNS infrastructure for cache poisoning, hijack and spoofing
  • Monitor your web servers and DMZ systems for vulnerabilities; implement a continuous security process for vulnerability and patch management of these critical systems
  • Monitor web content for script injection and unauthorized modifications; extend this monitoring to partner sites which include content via frames or cross-site scripting
  • Implement a secure web “watermark” that validates the security of your web site; educate your users to look for and verify the watermark is correct
  • Develop a security response plan with your service providers to react quickly and cooperate to take down a malicious site targeting your institution
For both Phishing and Pharming, provide simple mechanisms for your customers to report abuse or suspect web sites. The prevalence of these attacks will continue to rise with the swell of e-commerce. Responsible institutions must increase the difficulty (and the resulting cost) of making a copycat web website and they must implement continuous monitoring and response processes to respond in the event of an attack.

Citations
  1. APWG Activity Report. (2007 April). Published by the Anti-Phishing Working Group. Retrieved June 14, 2007 from http://www.antiphishing.org/reports/apwg_report_april_2007.pdf
  2. Phishing and Pharming (2006 January). Published by McAfee. Retrieved June 14, 2007 from http://www.mcafee.com/us/local_content/white_papers/wp_phishing_pharming.pdf
  3. 'Spear Phishing' Tests Educate People About Online Scams. (2006 August). Written by David Bank of the Wall Street Journal. Retrieved June 14, 2007 from http://online.wsj.com/public/article/SB112424042313615131-z_8jLB2WkfcVtgdAWf6LRh733sg_20060817.html?mod=blogs
  4. Social Phishing. (2005, December 12). Written by Tom Jagatic, Nathaniel Johnson, Markus Jakobsson, and Filippo Menczer School of Informatics Indiana University, Bloomington. Retrieved June 14, 2007 from http://www.indiana.edu/~phishing/social-network-experiment/phishing-preprint.pdf
  5. SANS ISC Diary. (2005 March). From Sans Internet Storm Center. Retrieved June 14, 2007 from http://isc.sans.org/diary.html?date=2005-03-31
  6. Elaborate ‘pharming’ attack targeted 50 banks. (2007, February 22). Written by Jeremy Kirk of the IDG News Service. Retrieved June 14, 2007 from http://www.infoworld.com/article/07/02/22/HNpharmingattackonbanks_1.html
  7. Protection recommendations from numerous sources including: Microsoft, Symantec, SANS, RSA, CSO Online, Network World and others:
  • http://www.consumerfraudreporting.org/pharming.php
  • http://www.csoonline.com/fundamentals/quicklists_pharming.html
  • http://www.networkworld.com/research/2005/071805-pharming.html?
  • http://www.verisign.com/static/030910.pdf
  • http://www.microsoft.com/athome/security/privacy/pharming.mspx
  • http://www.apani.com/net-news/0606/82
  • http://www.wired.com/news/infostructure/0,1377,66853,00.html
  • http://www.cs.indiana.edu/pub/techreports/TR641.pdf,
  • http://www.infoworld.com/article/07/02/23/HNsecondgoogledesktopattack_1.html
  • http://reviews.cnet.com/4520-3513_7-5670780-1.html
  • http://www.securityfocus.com/columnists/429

No comments: