A recent survey by security appliance vendor (take with a grain of salt, they are the ones that provide the solution to the problem they have reported) indicates that 40% of the DNS servers run software that is outdated and very likely insecure and vulnerable to pharming attacks.
The Boulder, Colo.-based Measurement Factory, in querying some 17 percent of the roughly 7.5 million globally known authoritative DNS servers on the Internet, also found that in more than 40 percent of DNS servers, the software used to complete domain name resolution is out of date and likely insecure.
Pharming against IP telephony is now only possible, it is probable. ZDNet describes how pharming (or "poisoning" a DNS server to reroute traffic to a different destination) may be used to redirect IP phone traffic from the intended recipient to another location. Imagine you dialing your bank’s number, entering your SSN and password at the voice prompts, and then a month later, having your identity stolen.
Pharming exploits vulnerabilities in a piece of network equipment
responsible for translating e-mail and Web addresses into IP addresses.
Security experts speaking at Supercomm this week said that, by
hijacking a domain-name system (DNS) server–a computer that stores and
organizes IP addresses–pharmers get control of VoIP calls.
their knowledge, VoIP users’ calls could then be redirected to IP
addresses completely different from the ones the users dialed, warns
Paul Mockapetris, the inventor of the domain name system.
[Via ZDNet -]
Another review on "pharming" and how it slowly makes its way as a tool for obtaining personal and confidential information by posing as a legitimate site.
Recent pharming attacks have taken advantage of old and insecure
implementations of BIND (Berkeley Internet Name Domain) technology, the
dominant DNS software used on the Internet, and vulnerable default
configurations on some versions of Windows 2000 systems that were
acting as DNS servers, according to the Internet Storm Center.
Although upgrading and plugging holes in DNS server software, a more robust and secure DNS infrastructure may be needed, according to Paul Mockapetris, the inventor of DNS and now chief scientist at
Nominum Inc., a provider of Internet name and address services based in
Redwood City, California
[Via eWeek, MA -]
Don’t be misled by the title - phishing is not on its way to disappear - just the big publicity and negative emotion surrounding phishing has led phishers to adopt different, and in many cases - better, techniques.
Although according to the Anti-Phishing Working Group phishing has increased by only 1.8% in February, the number of pharming attacks increases. The bad news is that pharming is much harder to detect due to the fact that only some users’ traffic gets re-directed, and only temporarily.
phishing attacks lured a user in through social engineering, primarily
spoofed e-mail and websites. Now, not only are phishers beginning to
use Instant Messaging (IM) to spoof companies, but phishing without a
lure is becoming more prevalent. There are several variations. The most
common is malicious code, which either modifies a host file to point
commonly accessed sites to a fraudulent site (called "pharming") and
malicious code that logs a user’s keystrokes based upon a set of
predetermined URLs that are accessed (known as "keylogging"). DNS cache
poisoning is an alternative technique that can be used to resolve
information to non-legitimate pharming web sites.
[Via eMarketer, NY -]
No surprise in the recently releases phishing statistics for the month of February.
There were 13,141 unique phishing e-mail messages
reported to the Anti-Phishing Working Group (APWG) during February, up
2% on the number reported to the group in January. The number of
phishing Web sites supporting these activities rose 1.8% to 2,625
compared with the prior month, according to the group. The APWG
compiles its data using information from Internet service providers,
network administrators, law enforcement agencies and individuals.
[Via ComputerWorld -]
The Internet Storm Center is concerned that online
criminals are ‘poisoning’ the domain name system and redirecting Web
users to malicious sites. ZDNet reports on how pharmers (not to be confused with farmers, which are good and healthy to people and economy) use DNS poisoning to install spyware on users’ computers. This is a slight variation of our previous reports of pharming where DNS poisoning is used to serve a different web page and "phish" for user’s username and password.
ZDNet is reporting on new use of DNS poisoning - to trick users into installing spyware which can then track their activity without raising suspicion. This attack is more troublesome than phishing via DNS poisoning because the DNS poisoning attack lasts usually as long as the DNS server’s cache duration is set to. But by sneaking a spyware software during this window, hackers are able to obtain much more information than a pure DNS poison/phish attack.
Netcraft reports on new techniques used by phishers to trick users into clicking on their links by making them look real. By using DNS wildcards, a DNS record will resolve all requests that are not matched by any other record. Wildcards have been helpful in "catching" misspelled e-mail addresses, for example, but are not being misused by spammers and phishers.
Netcraft reports about a recent attack on Barclays Bank using links such as: http://barclays.co.uk|snc9d8ynusktl2wpqxzn1anes89gi8z.dvdlinKs.at/pgcgc3p/
The phishers use a wildcard DNS setting at a third-party redirection
service (kickme.to) to construct the URLS. The wildcard allows the
display of URLs beginning with "barclays.co.uk," which is followed by a
portion of the URL which is encoded to obscure the actual destination domain.
The redirector at kickme.to/has.it forwards to a Barclays spoof site hosted at Pochta.ru
in Moscow. The spoof loads a page from the actual Barclays site, and
then launches a data collection form in a pop-up window from the
Although not necessarily DNS vulnerability, this attacks creates a hybrid of phishing-pharming attack that could be harder to detect.
After Sen. Leahy’s introduction of the Anti-Phishing Act of 2005 the term "pharming" started circulating the media outlets. What is pharming anyway?
According to ZDNet, this is simply a new name for an old concept - domain spoofing. Rather than spamming you with email requests, pharmers work quietly in
the background, ‘poisoning’ your local DNS server by redirecting your
Web request somewhere else. As far as your browser is concerned, you’re
connected to the right site. The danger here is that you no longer have
to click an email link to hand over your personal information to
Many of our readers are aware that the DNS is responsible for translating the name, for example, eBay.com into its equivalent network (or IP) address so that users have to remember eBay.com instead of its cryptic address of 8 to 12 digits. The problem with this is that the network structure that is responsible for this translation is vulnerable. For example, if an attacker can modify the DNS server so that instead of sending an user to eBay’s IP address, the DNS sends the user to another machine run by a scammer where personal information can easily be connected.
Pharming is superior to phishing in many respects. A phish attack is vulnerable to detection very easily - a discrepancy between an emailed link and the address it purports to contain, a geographic location of the site based on the domain name, etc. Pharming, on the other hand, doesn’t give much chance to the users to compare the domain name and see a discrepancy - their browser will display *exactly* the same URL as they were hoping to get - no discrepancy, no suspicion. And if the site looks like expected - no user can know.
Pharming, or poisoning a DNS, can occur in many ways - an attack can be launched against an ISP’s DNS system and if successful, all users who use this DNS will get the fake IP address. Another way is for a trojan to spread into a victim’s computer and "poison" the local hosts file - the effect is the same - they type eBay.com and the browser shows "http://www.ebay.com" while the actual site is different.