New crop of thieves: Pharmers hit Net banking: New crop of thieves: Pharmers hit Net banking
The Arizona Republic
Apr. 19, 2005 12:00 AM
It’s the next Internet scam, and it could be the most menacing.
The reason: Even experienced Internet users can become victims and not know it.
The ploy is called pharming – a play off “phishing,” the previous Internet fraud – and it involves highly skilled hackers who secretly redirect users’ computers from financial sites to the scammers’ fake ones, where they steal passwords and other personal information. Even the Web address looks the same.
Unlike phishing, where users click on links in e-mails and are taken to fake sites, pharming intercepts a user on his or her way to the bank or a credit-card firm. And it potentially can affect thousands of users at a time.
“With pharming, you don’t have to do anything stupid to get on the hook,” said Tom Leighton, chief scientist of Internet software firm Akamai Technologies Inc. in Cambridge, Mass. “You’re just swimming along, and you get caught in the net.”
Banks in Arizona are starting to see the problem, and large members are familiar with the scam, said Tanya Wheeless, president and chief executive of the Arizona Bankers Association. The Arizona Attorney General’s Office said it heard of a case last month in which a Phoenix man lost $5,000 from his bank account after answering an online pop-up survey that purported to be from his bank.
It is just a matter of time before the scam becomes widespread, experts fear.
“If it didn’t get worse, it would buck the trend of all known security problems,” said David Jevans, a Silicon Valley executive who is chairman of the fraud-fighting Anti-Phishing Working Group.
The scam is so new that Internet security gurus have just started warning about it.
Akamai’s Leighton told a technology conference in Phoenix in December that hackers are targeting small sections of the Internet and rerouting traffic to fake bank sites to capture users’ passwords. The legitimate sites don’t notice the drop in Web traffic because it is just a fraction of the total, he said.
An anti-phishing bill introduced in Congress last month would also apply to pharming. It calls for prison time and fines for those caught either phishing or pharming.
Security experts say pharmers have two main ways of operating: attacking either users’ computers or the large servers that find Web sites for users.
The first way is to send virus-laden e-mails that install small software programs on users’ computers. When a user tries to go to his bank’s Web site, the program redirects the browser to the pharmers’ fake site. It then asks a user to update information such as log-ins, PIN codes or driver’s license numbers, said Chris Faulkner, chief executive officer of CI Host Inc., a Web-hosting firm in Bedford, Texas. Scammers use the information to steal identities.
Other viruses, called keyloggers, track a user’s keystrokes on legitimate sites and can be used to steal passwords.
The pharmers’ second method takes advantage of the fact that Web sites have verbal names but reside at numeric addresses on the Internet. When users type a Web site’s name into their browsers, Domain Name System, or DNS, servers read the name, look up its numeric address and take users to the site.
Pharmers interfere with that process by changing the real site’s numeric address to the fake site’s numeric address.
The servers can belong to financial institutions, Web-hosting companies or Internet service providers. This tactic, called DNS poisoning, has been around for years, but it is only in the past six months that techies have seen it used for identity theft and dubbed it pharming.
“It’s like the name sounds,” said Rami Habal, senior product manager at Proofpoint Inc., a Cupertino, Calif.-based e-mail security software firm. “They’re planting the seeds of malicious code and harvesting the identity information later.”
What alarms the experts is that pharming can reroute thousands of Internet users at a time, making the impact potentially huge.
“With phishing, you’re scamming one person at a time with e-mail,” Faulkner said. “Pharming allows you to scam a large group at once. You’re definitely hurting the masses.”
Pharmers generally come from overseas, such as China, Russia and Eastern Europe, experts say. They fear many are tied to organized-crime rings that buy and sell identity information.
Pharmers tend to target online banking sites, experts say. Financial institutions in Australia and the United Kingdom, including the venerable Barclays bank and Lloyd’s of London, reportedly have been hit, experts said.
Attacks so far have been limited, though there is no real way to know, said Jevans, of the Anti-Phishing Working Group.
Pharming isn’t as big as phishing yet, in part because it takes more skill. Sending e-mails and copying a few Web pages are relatively easy, while pharmers must build viruses for each site they want to target or must hack into large servers that control the Internet.
“It has the potential to be more dangerous, but what it’s done so far hasn’t been much,” said Hunter Bennett, director of operations for Tempe-based Ensynch, a data center and technology services company.
Brad Keller, an Atlanta online consultant for BITS, a consortium of the 100 largest U.S. financial institutions, said he is optimistic because relatively few hackers have the skills needed to pharm. Industries that improve the security of their servers can protect thousands of computer users at once, he added.
But he and Jevans worry about pharming viruses.
“I’m far more concerned about activity that causes individual users’ machines to be altered,” Keller said. “There, we have no way of knowing their machines have been attacked.”
Web sites of large financial institutions have boosted protection of their servers against pharming, Keller and other experts say. But smaller banks and Internet service providers may not have done so yet, they warn.
Companies and big organizations can reduce the threat by keeping their software updated and patched. They also can install firewalls, filter for known scams, and watch for changes in IP addresses on their servers, the experts said.
Anti-pharming software is in the works, including products that will display security information and show users where a Web site is being hosted.
Unfortunately, pharmers seem to be a step ahead of the security-software world.