Phishing and Pharming Attacks

Phishing and Pharming AttacksIn this report, it provides overview ab pop phishing and pharming desire what is phishing, what is pharming, what atomic number 18 the bear upons that ca habituated by phishing and pharming and what atomic number 18 the solutions arse be apply to remediate or minimize the chance of organism attack by phishing and pharming.Phishing ar network burlesques or identity thefts that determination to acquire or steal tar discombobulateed victims sensitive cultivation like in- soulfulness identity entropy or pecuniary nib credentials. Phishing brush off be carried out by aggressors victimisation genial locomotive locomotiveering like dis set telecommunicate, through instant messaging (IM), peer to peer (P2P) networks, bet railway locomotive and otherwise techniques to redirect drug utilisationrs to fraudulent network land site.Pharming is the clean twist of internet fraud or identity theft. It is the evolutionary of phishing that apply to achieve the same goal, exactly pharming is to a greater extent advanced(a). Pharming can be carry out by utilize practiced subterfuge such as DNS cache inebriation, empyrean extravagantlyjack and other techniques to redirect users to fraudulent networksite or proxy horde to cop users sensitive in-person learning.Phishing and pharming attack bequeath make financial impacts on the targeted victims or thorny-hit to sm in both organization. It will to a fault cause the undermining of consumers confident in victimization internet over secure transaction or communication. Beside from this, phishing and pharming will likewise cause the law investigation pay back harder.Table of kernelSummary2Table of Content-3Table of Tables and routines4Introduction-5Method of Phishing Attack-62.1. join Manipulation62.2 Filter escape72.3 Website Forgery72.4 Ph matchless Phishing-82.5 workout of Phishing92.6 Phishing Report-10Method of Pharming Attack13How Pharming Works13DNS c ache poisoning16Domain commandeer16Registration of interchangeable sounding earths17 furbish up ca utilise by phishing / pharming18Pr even outtion of phishing and pharming20Prevention What to do?20Prevention What non to do?-21Classic phishing defenses 21Client-side21Server-side22 first step-22Additional Pharming-Specific defenses23Change Management, Monitoring and Alerting-23Third-party armament Resolution Verification function-24DNS Server Patching, Updating and Configuration25Search Engine Control-26Conclusion-27Recommendation29Reference30Bibliography31Appendix32 usher 1.032Template 2.034TABLE OF TABLES AND FIGURESFigure 1-9Figure 210Figure 311Figure 412Figure 514INTRODUCTIONPhishing and Pharming be two of the most organized crimes of the 21st nose candy requiring very little skill on the part of the fraudster. These result in identity theft and financial fraud when the fraudster deceits the online users into giving their confidential instruction like Passwords, Social S ecurity Numbers, Credit Card Numbers, CVV Numbers, and personal entropy such as birth assignments and mothers maiden names etc. This information is hence either utilize by fraudsters for their own inquires such as impersonate the victim to transfer funds from the victims account, purchase merchandise etc., or is sold in a variety of online brokering forums and chat channels for a profit.The Anti-Phishing working(a) Group (APWG) con indicates that 26,877 phishing attacks were reported in October 2006, a 21 percent outgrowth over Septembers 22,136 attacks and an increase of 70% as comp ard to October 2005. through these attacks the fraudsters hijacked 176 brands resulting in huge financial losses and loss of reputation to enterprises. The Gartner study reported that more(prenominal) than 2 million Americans have had their checking accounts raided by criminals in 2004, the average loss per incident creation $1,2002.With phishers developing evermore sophisticated attacks, thes e numbers argon bound to increase in the near future. whence, battling these attacks has be observe a high priority for Governments and Industry Groups.METHOD OF PHISHING ATTACKLink ManipulationMost methods of phishing use some form of technical whoremaster de condenseed to ask a link in an e-mail (and the spoofed bladesite it leads to) front to belong to the spoofed organization. Misspelled URLs or the use of sub domains are common frolics used by phishers, such as this example URL, http//www.your desire.example.com/. another(prenominal) common trick is to induce the anchor textbook for a link appear to be valid, when the link actually goes to the phishers site, such as http//en.wikipedia.org/wiki/Genuine.An old method of spoofing used links containing the symbol, pilot filmly intended as a way to take a username and password (contrary to the standard). For example, the link http//e-mail comforted/ capacity deceive a perfunctory observer into believing that it will ope n a page on www.google.com, whereas it actually directs the web browser to a page on members.tripod.com, development a username of www.google.com the page opens normally, regardless of the username supplied. Such URLs were disabled in profits Explorer, current Mozilla and Opera presend a warning message and give the pick of continuing to the site or cancelling.A further problem with URLs has been fix in the handling of Internationalized Domain Names (IDN) in web browsers, that might allow visually identical web insurees to lead to different, maybe vicious, websites. despite the publicity surrounding the flaw, k straightwayn as IDN spoofing or a homograph attack, no contendn phishing attacks have yet taken advantage of it.citation needed Phishers have taken advantage of a similar risk, using open URL redirectors on the websites of swear organizations to disguise malicious URLs with a trusted domain.Filter EvasionPhishers have used images instead of text to make it harder for anti-phishing filters to detect text commonly used in phishing e-mails.2.3 Website Forgeryin one case the victim visits the website the falsification is not over. Some phishing scams use JavaScript commands in order to alter the solicit stripes. This is done either by placing a picture of a licit URL over the address bar, or by closing the original address bar and opening a new one with the permit URL.An assaulter can even use flaws in a trusted websites own scripts against the victim. These types of attacks (known as cross-site scripting) are itemly problematic, because they direct the user to sign in at their bank or processs own web page, where everything from the web address to the certificate department certificates appears correct. In materiality, the link to the website is crafted to carry out the attack, although it is very difficult to spot without specialist knowledge. Just such a flaw was used in 2006 against PayPal.A Universal Man-in-the-middle Phishing Kit , discovered by RSA Security, provides a simple-to-use interface that allows a phisher to convincingly reproduce websites and capture log on details entered at the fake site.To avoid anti-phishing techniques that scan websites for phishing-related text, phishers have begun to use Flash-based websites. These play much like the real website, except hide the text in a multimedia object.2.4 Phone PhishingNot all phishing attacks adopt a fake website. Messages that claimed to be from a bank told users to dial a phone number regarding problems with their bank accounts. Once the phone number (owned by the phisher, and provided by a Voice over IP service) was dialed, prompts told users to enter their account numbers and PIN. Vishing (voice phishing) sometimes uses fake caller-ID data to give the appearance that calls come from a trusted organization.EXAMPLE OF PHISHINGAs scam artists ferment more sophisticated, so do their phishing e-mail messages and pop-up windows.They often include official-looking logos from real organizations and other identifying information taken directly from legitimate Web sites.The hobby is an example of what a phishing scam e-mail message might look like.Figure 1Example of a phishing e-mail message, which includes a unreal URL address that links to a scam Web site.To make these phishing e-mail messages look even more legitimate, the scam artists may place a link in them that appears to go to the legitimate Web site, but it actually takes you to a phony scam site or possibly a pop-up window that looks exactly like the official site.These copycat sites are in addition called spoofed Web sites. Once youre at one of these spoofed sites, you might unknowingly send personal information to the con artists.PHISHING REPORTFigure 2The number of websites entertaining make out logging crime ware systems raise by over 1,100, reaching 3,362, the second highest number put downed in the previous 12 months.Web sense Security Labs believes much of this increase is collectible to assaulters increasing ability to co-opt sites to spread crime ware using automated tools.Figure 3The number of unique key fella crime ware variants detected in January reached a new high of 364, an increase of 1.4% from the previous high in October, 2007.Figure 4Anti-Phishing Working Group, Phishing Activity Trends Report, June 2005Phishing undermines consumer confidence. Corporate websites of valid, well-respected companies are being cloned to sell nonexistent products, or to get consumers to participate in money-laundering activities while believing that they are dealing with a legitimate organization. The public relations consequences for the comp either that has had its website cloned can be as severe as the financial losses.3.0 METHOD OF PHARMING ATTACKYou essential be well aware of phishing and its potential to cause damage. They bait bank customers with genuine looking netmails and manage to usurp money or personal information from unsu specting customers with reasonable success. You are also aware that responding to mails sent by your bank may not be a cheeseparing idea because banks never require to send telecommunicates to get your credentials. They have more secure channels to get that information.However, pharming attacks do not require an assailant to send mails. By carrying out pharming attacks, a criminal can get memory access to a wider target than phishing emails and as quickly as possible. Hence the ph effect on the word farming. They are not fishing, they are farming for gullible people By the way, pharming is a real dictionary word.HOW PHARMING WORKSPharming attacks do not take advantage of all new technique. They use the well known DNS cache poisoning, domain spoofing and domain pirate techniques that have been around for quite long. However, the motives of carrying out these attacks have changed.Earlier they were interest in just disrupting services and causing nuisance. But now, the game has sour a matter of money than that of chest thumping. These techniques continue to exist because administrators and website owners dont do to secure and monitor their DNS servers while they have invested millions of dollars in application firewalls.How a typical pharming attack is carried outFigure 51. The attacker targets the DNS service used by the customer. This server can be a DNS server on the LAN or the DNS server servered by an ISP for all users. The attacker, using various techniques, manages to change the IP address of www.nicebank.com to the IP address of a web server which contains a fake replica of nicebank.com.2. drug user extremitys to go the website www.nicebank.com and types the address in the web browser.3. Users calculating machine queries the DNS server for the IP address of www.nicebank.com.4. Since the DNS server has already been poisoned by the attacker, it returns the IP address of the fake website to the users computing device.The users reckoner is tri cked into thinking that the poisoned reply is the correct IP address of the website. The user has now been fooled into visiting fake website get overled by the attacker rather than the original www.nicebank.com website.Once the attacker has managed to get the user to visit the fake website, there are many ways in which the user can be tricked into unveil his / her credentials or giving out personal information. The beauty, or lets say, the celebrity of pharming over phishing is evident from the fact that one triple-crown attempt in poisoning the DNS server can be potentially used to trick all the users of that DNS service. Much less effort and wider impact than phishing.DNS cache poisoningAll DNS servers cache the queries that users have made for a certain period of time. This is done to speed up the responses to users for frequently used domains. This cache keep by the DNS server can be poisoned by using malicious responses or taking advantage of vulnerabilities in the DNS sof tware itself.Domain HijackingThis is an actual incident that took place a year ago. Panix, an ISP based in New York was the target of a domain hijack attack. All domains are typically registered with registrars which store information about the owner of a domain and location of the domains DNS servers. If any of this information is required to be changed, the approval of the domain owner is required. A domain owner can even pound registrars depending on costs and convenience. However, confirmation of the switch is required from all triplet parties, the domain owner, the old registrar and the new registrar.In case of Panix, a change was initiated by an unknown person in Australia. The person managed to scuttle confirmation from the old registrar and the domain owner. This was because the new registrar was not following the domain transfer process strictly. The result was, the unknown person managed to gain control over the panix.com domain completely. The person managed to divert all the web traffic of panix.com and customer emails to another server located in Canada.Domain hijacking has the widest impact because the attacker targets the domain registration information itself.Registration of similar sounding domainsSimilar sounding or similar looking domains are another source of security issues for internet users. An attacker can register a domain www.n1cebank.com and carry out pharming and phishing attacks on unsuspecting customers who dont notice the difference in the letter i being replaced by a 1.Also domain names created by typos on the original words (e.g. www.nicebqnk.com) manage to attract a lot of traffic. angiotensin converting enzyme such study on a popular domain cartoonnetwork.com guides that one in four people visiting the website incorrectly type a simple name like cartoonnetwork.com. So what about typo domains? unmatched quick attempt in Google reveals that it is quite a big concern. An attacker can easily buy typo domains and setup his fake website on these domains to fool unsuspecting visitors.IMPACT CAUSED BY PHISHING AND PHARMINGthither are impacts that caused by rising of phishing and pharming. One of the impacts that caused by phishing and pharming is the lost of financial on both(prenominal) organizations and consumers. According to the InternetNews.com, there are about $1.2 Billion lost in financial of banks and course credit bill issuers at year 2003, while at year 2004, there is about 12 Million lost in financial reported by the Association of Payment Clearing Services in United Kingdom.Due to the credit card association policies, the online merchants that legitimate and approved transactions made by using credit card numbers which solicit through internet fraud may need to liable for the full amount of those transactions. This may cause hard-hit to those small organizations.Another impact that caused by phishing and pharming is the undermining of the consumers trust in the secured internet transactio n or communication. This situation occurred because the internet fraud like phishing and pharming made consumer feel indeterminate about the integrity of the financial and commercial websites although the web address bring out in the address is correct.Phishing and pharming also caused some impact on the jurisprudence investigation. It makes the law investigation become harder because the technique that used by attackers to serve phishing and pharming is more sophisticated. In nowadays, those attackers can perform all of the phishing and pharming attack at a location that provided with the internet connection. With the available of internet connection, they can make use of it to perform attacking activities. Those activities included the control of a computer located in one place to perform phishing and pharmings attack by using computer located at another place. The investigation become harder also because of the division of attacking tasks to several people located in different locations. legal profession OF PHISHING AND PHARMINGPharming attacks tend to be harder to defend against that traditional Phishing attacks collectable to the distributed nature of the attack focus and the use of resources not under the control of the victim organisation. In addition, the manipulation of the DNS resolution process occurs at such a fundamental level that there are very some methods available to reliably detect any malicious changes.5.1 PREVENTION WHAT TO DO?By using anti-virus software, spyware filters, e-mail filters and firewall programs and make sure that they are constant updated to hold dear your computer.Ensures that your Internet browser is up to date and security patches applied.Be suspicious of any e-mail with urgent requests for personal financial information or threats of termination of online account.Dont rely on links contained in e-mails, even if the web address appears to be correct, and use only channels that you know from independent sources are reliable (e.g., information on your bank card, hard copy correspondence, or montly account statement) when contacting your financial institution.When submitting credit card or other sensitive information via your Web browser, always ensure that youre using a secure website.Regularly log into your accounts.Regularly check your bank, credit and debit card statements to ensure that all transaction are legitimate.PREVENTION WHAT NOT TO DO?Dont assume that you can correctly identify a website as legitimate just by looking at its world(a) appearance.Dont use the link in an e-mail to get to any web page, if you suspect the message might not be authentic.Avoid fill up out forms in an e-mail messages or pop-up windows that ask for personal financial information.CLASSIC PHISHING DEFENCES galore(postnominal) of the defences used to thwart phishing attacks can be used to help keep back or limit the scope of future Pharming attacks. eyepatch readers are referred to the detailed coverage o f these defence tactics explained in The Phishing Guide, a brief summary of these key defences is as followsClient-SideDesktop protection technologies example of appropriate, less sophisticated, communication settingsUser application-level monitor solutionsLocking-down browser capabilitiesDigital subscribe and validation of emailGeneral security awareness5.3.2 Server-SideImproving customer awarenessProviding validation information for official communicationsEnsuring that the Internet web application is securely developed and doesnt include easily exploitable attack vectors apply strong token-based authentication systemsKeeping naming systems simple and understandable5.3.3 EnterpriseAutomatic validation of sending email server addresses,Digital sign language of email services,Monitoring of corporate domains and notification of similar registrations,Perimeter or gateway protection agents,Third-party managed services.ADDITIONAL PHARMING-SPECIFIC DEFENCESWhile Phishing attacks typicall y use email as the attack delivery platform, Pharming attacks do not require any email obfuscation attacks to succeed therefore Phishing defences that rely upon email security play a lesser role. The defences that will be most successful in preventing Pharming attacks focus upon the following areasChange anxiety, monitoring and alertingThird-party soldiery resolution verificationDNS server patching, updating and configurationSearch engine control5.4.1 Change Management, Monitoring, and AlertingThe potential for an administrator or other authoritative employee to maliciously modify DNS resolution information without detection is great. As financial incentives increase, organisations and ISPs will need to ensure that adequate change control, monitoring and alerting mechanisms are in place and enforced.It is recommended thatWherever editing is possible, access to DNS configuration files and caching data is extra to approved employees only.A change management process is used to log and monitor all changes to DNS configuration information.Auditing of DNS record changes is instigated by a team external to any DNS administrative force-out with automatic alerting of changes conducted in real time.Regular audits and comparative synopsis of secondary DNS and caching servers should be conducted.Third-party Host Resolution Verification ServicesToolbarsMany third-party developed plug-in toolbars originally designed to detectPhishing attacks are deceived by Pharming attacks. Typically, these Phishing toolbars show the IP address and reverse lookup information for the server that the browser has connected to, so that customer can clearly see if he has reached a fake site. Some managed toolbars (normally available through a subscription service) also compare the host name or URL of the current site to an updatable list (or real-time querying) of known phishing sites.Some toolbars now offer limited anti-pharming protection by maintaining a stored list of previously vali dated healthy IP addresses associated with a particular web address or host name. Should the customer connect to an IP address not previously associated with the host name, a warning is raised. However, problems can occur with organisations that change the IP addresses of their online services, or have large numbers of IP addresses associated with a particular host name.In addition, some toolbars provide IP address allocation information such as clearly stating the geographic region associated with a particular netblock. This is useful for identifying possible fake Pharming sites that have been setup in Poland affect to be for an Australian bank for instance.Server CertificatesTo help prevent pharming attacks, an supernumerary layer can be added to the authentication process, such as acquiring the server to prove it is what it says it is. This can be achieved through the use of server certificates.Most web browsers have the ability to read and validate server identification certi ficates. The process would require the server host (or organisation) obtain a certificate from a trusted certificate authority, such as Verisign, and pass it to the customers browser upon connection for validation.5.4.3 DNS Server Patching, Updating and ConfigurationAs with any Internet-based host, it is vial that all accessible services be configured in a secure manner and that all current security updates or patches be applied. Failure to do so is apt(predicate) to result in an exploitation of any security weaknesses, resulting in a loss of data integrity.Given the number of possible attacks that can be achieved by an attacker whom manages to compromise an organisations DNS servers, these hosts are frequently targeted by attackers. Therefore it is vital that security patches and updates be applied as quickly as possible typically organisations should aim to apply fixes within hours of release.Similarly, it is important that organisations use up to date versions of the service w herever possible. As we have already discussed in partition 3.6, each new version of the DNS software usually contains substantial changes to protect against the latest attack vectors (e.g. randomising DNS IDs, randomising port numbers, etc.)5.4.4 Search Engine ControlInternet search engines are undergoing constant development. Many of the methods used by attackers to increase their page ranking statistics are known of by the search engine developers, and a constant cycle of detection and refinement can be observed by both parties. For instance, Google modified its search algorithm to specify the page rank statistics of web sites that had recently changed ownership this was to reduce the impact of instant backlinks and the weighting they attach to a ranking.Traditionally the emphasis on increasing a pages ranking has been for revenue or lead contemporaries most closely associated with advertising. However, the increasing pace at which customers are relying upon search engines t o access key services (such as online banking) means that a Pharmer who can get his fake site ranked at the top is likely to acquire a high number of victims.Organisations should ensure that they regularly freshen up keyword associations with their online services. Ideally automated processes should be developed to constantly monitor all the popular search engines for key search words or phrases customers are likely to use to locate their key services. It is also important that region-specific search engines also be monitored.CONCLUSIONThe term phishing is about the use of social engineering by performing online imitation of brands to send spoof email that contain of hyperlink to fraudulent website to solicit users sensitive personal information like credit card number, PIN, mothers maiden name and etc. Phishing can also be done through entraping keylogger at users computer.Pharming use technical subterfuge like DNS cache poisoning, domain hijacking, routers setting or firmware m alconfiguration to redirect users to a fraudulent website. Pharming may also perform by sending the targeted victims an email that contained of viruses or Trojan horse that will install small application that will redirect user to fraudulent website.There are impacts that caused by both phishing and pharming. Those impacts included the lost of financial, undermining of user confident in secured online transaction or communication, hard hit to small organizations and cause the law investigation harder.As a web developer, SSL certificate, switching of the recursion queries or DNS security extension should be apply because it can protect the DNS or website from phishing and pharming attack. Visual clues can also be use so that user can easily differentiate between authentic website and fraudulent website. type based authentication also one of the technique that can be apply to protect the website or DNS server from phishing and pharming attack.Users are also amenable to protect their self from phishing and pharming attack by not opening email or download attachment from unknown sender or email that required user to respond by clicking on the hyperlink contained in the email. User should also double confirm the URL at the address bar when a warning message like SSL certificate do not match with the sites appear. User can also install security cortege or firewall in the computer in order to protect user from phishing and pharming. User can also look for the lock or key icon at the bottom of the browser that lock the site they want to enter their sensitive personal information.As a user, we can also report the attack of phishing and pharming to the related agencies or company through internet or telephone to assist the work of minimize the attack. In addition, laws are also being introduced to against phisher and pharmer.RECOMMENDATIONTo prevent from becoming the victims of phishing and pharming, I invoke to users that must install security suite or firewall in their computer and the detection signature of the security suite should be up to date. also from this, I also suggest that users should beware in opening any email or attachment that they receive in order to prevent their self from becoming the victims of phishing and pharming.I also suggest to web developers that they should use SSL certificate, switch off the recursion queries, install DNS security extension in protect