by July 1, 2005 0 comments



They’re pretty real all right, and constantly on the rise. If you bank online today, then you have to be extra careful of these security threats to ensure that you don’t end up
getting caught in a scam. Scamsters are finding new and more powerful techniques to gain access to your bank account information. So lets start by understanding these different mechanisms. The two most commonly used ones are called phishing and pharming. Phishing involves luring the
target to a particular website through an e-mail, while pharming is even more dangerous as it doesn’t even let the target know that an attack is in progress. To understand the gravity of this, we’ll tell you how they do it, so that you can be more prepared. 

Phishing
This form of an attack has been around for quite some time now. In fact, the attack itself had nothing to do with technology at all. It was all about social engineering. Perhaps the most common and nasty phishing attack was the Nigerian General’s widow e-mail, asking for your cooperation to transfer a huge sum into your account. Today, the
attack has been modified and you would actually receive an e-mail from some bank asking you to update your account information. If you had an account with that bank, then you could have easily been fooled by it and would have clicked on the bank’s URL. Unfortunately this took you to a phony website, which was created by the sender of the
e-mail, and no prizes for guessing what happened after you entered your bank account’s username and password! You would probably receive an error message. So while you thought you’d entered your details incorrectly, the fake site was busy gathering your username and password. 

These kinds of attacks were harmless so long as you ignored and deleted the e-mail. But if you responded, then they would try their best to get your account information out of you. These days, however, ‘phishers’ have become smarter and are using
techniques to make the attacks much more accurate.

Pharming: beyond phishing 
While most online banks are still warning their customers to watch out for fraudulent e-mail, another more dangerous form of attack is brewing in the background. It’s called pharming. This form of attack doesn’t give the user any prior intimation. The user simply enters the URL of his bank’s website, but instead of being taken to the bank’s website, he’s automatically redirected to the fake site. The rest, as they say, is history. You may think that this is difficult to do, but it’s not. Let’s see how. 

Redirecting somebody 
automatically to another site may sound difficult to do, but actually it’s not. If the hacker can gain access to a user’s DNS server, and exchange the IP 
address of the bank’s website with his own, then the user will automatically be redirected to the fake website instead of the original one. So the humble DNS server, which nobody suspects of doing anything has
actually become the target of attack in pharming. The technique is called DNS poisoning. You may think that poisoning the DNS server is difficult, but think again. Many broadband service providers use simple Ethernet cables, hubs, and switches to extend Internet 
access to their subscribers. 

What is DNS poisoning?
Scamsters are using this technique to do pharming attacks. This is a hacking technique by which someone spoofs the IP address of the Gateway/DNS server and redirects the traffic to another fake machine, which has wrong entries for some specific Web addresses. For instance, it can have the IP address of a phishing website against the DNS name of some Banking site. Or lets say the IP address of playboy.com in front of google.com. So as a result when someone tries to open google.com he actually gets directed to playboy’s website. The biggest danger of this type of attack is that it is
difficult to trace and it doesn’t need any modification at the users machine.
A remote machine does all the poisoning.

In such a setup, it’s very easy for one subscriber to be able to see others. Someone with malicious intent can use a DNS spoofing
software to redirect requests for specific websites to somewhere else. This can even happen on
corporate networks. 

There’s another easier way of taking the user automatically to a fake bank website. It’s done by infecting a tiny file that sits on most desktop machines, known as hosts. It’s nothing but a file that maps IP addresses to URLs. 

So whenever you try to access a website, the machine first checks the hosts file to see if it can find the URL’s IP address there. What if someone were to map a fake IP
address to a bank’s website in the hosts file? 

One can’t deny this possibility
because there are Trojans around that have done it for other things. The most recent that we’ve seen is one that doesn’t let you update your anti-virus software. It has simply mapped the URLs of all the anti-virus software sites to 127.0.0.1, which is your own local machine. This kind of Trojan can come as an attachment in a nicely written e-mail. 

Fake bank sites are easy to create
After redirecting users to another IP address, the scamsters just have to ensure that they have a website that looks and functions exactly like the original bank’s website. This is also not very difficult to do, simply because all websites are created using various Web technologies like HTML, ASP, JSP, XML, etc. These are taught even in the smallest of training institutes. Another factor that helps scamsters in creating the fake site is the fact that they can view the source code of all the bank’s Web pages. 

In Internet Explorer for instance, just select the View Menu and choose Source. This will show you the source code for the entire Web page, irrespective of whether it’s using plain old HTTP, or the secure HTTPS. While HTTPS is supposed to secure what you transmit over the Internet, it fails to take into account this 
aspect. Why’s that important you might ask? The Web pages can easily be saved and hosted on another Web server, using a simple tool such as FrontPage or even Notepad. So without too much effort, the scamster can have an exact look alike of the bank’s original website up and running. In a few minutes, the scamster now has to do is to ensure that the script for the login button extracts the username and password and sends it to another destination. 

Thus, the entire process of  redirecting the request for a URL to another location is not difficult. But sad part that it can all be done using freely available tools. It’s a scary thought that such simple loopholes exist in the most secure of online banks. We do hope that banks take them into account and plug them. In the next section, we’ll tell you how to identify pharming attacks and what safeguards to take to protect yourself against getting conned.

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.

<