TraceSecurity

What is a Pharming Attack?

Though pharming attacks are not as well-known, they are a serious threat to unsuspecting individuals. The main threat to pharming attacks is that they are extremely difficult to detect and can be perpetrated in many different ways. A pharming attack is where a user attempts to browse to a legitimate web site and is instead redirected to a malicious web site that impersonates the real site. This ultimately allows the malicious web site to steal information entered by the unsuspecting user. There are three primary forms of pharming attacks.

DNS Poisoning

This type of attack is where DNS servers are compromised and modified to advertise improper IP addresses. When a user types in a web address such as www.tracesecurity.com, that name is resolved via DNS to an IP address. In turn, the IP address tells the user's computer how to reach the web site being requested. If a DNS server can be compromised to send a different IP address instead of the real one, when the user types the web address, such as www.tracesecurity.com, they will instead be sent to a malicious web site.

SpyWare

Spyware has been around for a number of years but has become a common way for legitimate and malicious parties to gain information about individual's computer habits. Though some forms of spyware are legal, malicious code can be used to modify a user's computer to go to sites other than those requested. A simple example is a modification to the .host. file on a computer. Most computers have this file, though it is rarely modified. If an entry is put into the host file to resolve the domain www.tracesecurity.com to an IP address of 10.1.1.1, then when a user attempts to browse to that web address, their computer will use the entry from the host file rather than performing a DNS lookup. Since spyware can be loaded onto a computer through web browsing or applications downloaded via the Internet, it is difficult to defend against.

Search Engine Poisoning

When a user goes to a search engine, such as Google, and types in an organization's name, they make the assumption that the responses that are generated will probably relate back to that domain. However, malicious individuals have begun creating web sites that mimic legitimate web sites and have gotten their information published into these search engines. Ultimately, when a user types in an organization's name, the malicious web site might end up being listed above the legitimate web site. If the malicious web sites looks like the real web site, the user will have no idea that they are not where they assume they are. In addition, many users attempt to simply guess the organizations' web address. Malicious sites can be registered with domains very similar to the legitimate web sites.