WASHINGTON, Jan. 19 (UPI) -- After phishing, pharming.
Experts say that the way the Internet works leaves users vulnerable to a scam in which fake Web sites facilitate identity theft and fraud by collecting personal and financial data.
Phishing involves sending fake e-mail messages to users. The e-mail, which appear to come from banks or commercial sites such as Amazon or eBay, urge the recipient to visit the site to update or confirm personal information. But the link the message offers actually takes anyone who clicks on it to a fake site, operated by criminals, which steals the information the user enters. The victims' identity, password and other data can then be used to conduct bogus transactions, or to steal the contents of bank accounts.
But in pharming, Internet users are clandestinely diverted to fake sites without receiving a message or clicking on a bogus link.
"There are all kinds of ways such an attack could be carried out, said Carl Banzhof, the chief technology officer of Citadel Security Software, Inc. But they all rely on hijacking the link between a personal computer Web browser and the Internet site the user wants to visit.
"When you type an Internet site address into your Web browser," explained Roger Thompson, the director of malicious content research at Computer Associates, Inc., "the browser has to convert those letters into a numerical code, known as an IP address. The IP address is the one your Web browser uses to find its way to the site."
IP addresses are stored on large network computers called Domain Name Service servers. "These servers are constantly communicating with each other, updating the information they hold and correcting any errors," said Thompson.
But most browser programs looking for an IP address will check the PC's own records, because if the user has visited the site before, the IP address will be on file.
"Various forms of spyware out there can infest a PC," said Thompson, "and change the IP addresses" it has stored, so that when users type in an Internet address, the browser will find its way to a site chosen by the spyware author, rather than the one the user wanted to visit. Unlike a virus, spyware does not spread itself to other computers, but it can be very difficult to get rid of. "Some of these programs are very persistent," Thompson, said, adding that even if the changes such programs make are deleted, they can sometimes re-install themselves.
But spyware affects only one PC at a time. The phenomenon known as DNS poisoning can affect thousands of users at once.
"In DNS poisoning, a server is bombarded with fake updates," confusing it, Thompson said. Poisoned DNS servers mistranslate Internet addresses and cause users to be re-directed to a site other than the one they chose.
"These attacks are not easy to carry out and not common," said Thompson, and they generally only work for a limited time before the server -- or its owner -- realizes what is going on and acts to fix the problem.
"I liken it to changing the traffic signs on the Internet," Gerhard Eschelbeck, chief technology officer of computer security firm Qualys told United Press International. "You change the signs, you misdirect the traffic."
Eschelbeck said that this misdirection can be done to a target as small as a single server, affecting a small group of users, or to all the servers used by an Internet Service Provider, affecting all its customers, or even to all the servers serving a geographic area as large as an entire country.
In November last year, computer help chat-rooms and bulletin boards received large numbers of complaints from users trying to reach large commercial sites like Amazon who were being forcibly re-directed to an online pharmacy. Several reported that the problem persisted even after they had completely wiped their PC hard drives and re-installed software. It was apparently only corrected when they changed the DNS server their PCs were using to translate URLs into IP addresses, suggesting that the problem was at the level of the server.
In this case, the forced re-direction was obvious. But it would be perfectly possible, Thompson said, for users to be diverted to a facsimile of the site they were trying to visit, which could then harvest their identities and passwords to be fraudulently used later.
"It's definitely a vulnerability," he said, adding that he was unaware of any attempts to exploit it so far.
Paul DeBernardi, of Secure Computing, Inc., blames poor security practices on the part of those running DNS servers for the problem. "A lot of people are spreading malicious software by hosting insecure servers," he said.
Jon Callas, the chief technology officer of PGP Corp., added that servers and the software that runs them can be updated and made more secure. "The real problem," he told UPI, "is the component that sits between the keyboard and the chair" -- that is, the user. "You can't patch, update or replace that," he said.
"I am a lot more troubled, from a security point of view, by the con job," he explained. "I have a much easier time with technical attacks that take advantage of an improperly configured Web server. That is easy to fix, compared with the user."
But Banzhof pointed out that the open structure of the Internet and the endless fertility of the criminal mind make a dangerous combination.
"People will continue trying to figure out ways to redirect (Web) surfers to illegitimate sites for illegal purposes," he said, adding that the vulnerability of the DNS was highlighted last weekend by the theft of a company's Internet address.
Panix.com, New York City's oldest Internet service provider, found that ownership of its domain name had been transferred to a company in Australia, and that e-mail and other traffic was being re-directed to a server in Canada.
Experts blame the theft on changes made to the way domain names are traded in November last year, according to The New York Times, which reported the incident in its Tuesday editions.
"The way the system is now set up," said Banzhof, "domain name transfers go through automatically after five days if no one objects to them."
The bottom line, according to Eschelbeck is "authentication and trust. It's not enough for the site to simply get authentication (in the form of a password for instance) from the user. Authentication has to be two-way. The site has to prove to the user it is genuine, too."
Callas and DeBernardi say that the key for users is to ensure that they only submit personal or financial data to secure sites. "Watch for the padlock icon" toward the bottom right of the browser window, "and the Web address should begin 'https,' not just 'http,"' said DeBernardi.
"If you can see those, you're running a secure session," he said, adding that users can be confident that even if the data from such a transaction were being hijacked, it will be encrypted, and useless to the ID thieves.
"There's no reason for anyone to conduct any financial transactions, or to submit personal data, unless they're dealing with a secure server and they can see that," added Callas.
--
(Please send comments to [email protected].)
