Financial Daily from THE HINDU group of publications
Monday, May 23, 2005
eWorld
Features
Stocks
Port Info
Archives

Group Sites

 eWorld - Security
Info-Tech - Security


Hidden threat

Vipin V. Nair

Think that's sea weed on the water? Nope, it's a crocodile waiting to snap up the unwary. A similar threat is emerging in cyberspace - pharming.

JUST when one thought everything was safe in online banking as long as those `phishing' e-mails were ignored, a cleverer and more potentially damaging Internet fraud is emerging.

Called `pharming', this trick is more difficult than phishing to identify for even Net-savvy users.

This is how it works: You log into your bank's site online, keying in the user name and passwords. Everything looks okay but you are actually on a spoofed Web site set up by fraudsters. All the data you have entered, including your passwords, is now in their possession.

How does this happen? You did type in the correct URL of the bank's site and the browser is still displaying it. What went wrong, where?

Cyber criminals this time are resorting to an old trick called domain spoofing or DNS poisoning to perpetrate pharming attacks. What they do is hack into the servers hosting domain names and alter them. To understand this better, let's first look at how a Web server works.

All Web sites have a unique Internet protocol (IP) address, represented in a string of numbers such as, say, 12.456.78.673. Since we remember names better than such long numbers, we key in www.bankxyz.com in the browser. The Domain Name Server (DNS) converts this text into the numbers behind them.

When we key in the URL into our browser and press `enter', it sends a request to the DNS to translate the domain into an IP address. Then the browser sends a `Get' request to the Web server to locate the page with that particular IP address. Then the Web page is displayed on the computer.

What happens in a pharming attack is this: A user keys in the required URL in the browser, which sends the request for the IP address to a DNS that has been hacked. In place of the real IP address, the hacked DNS sends back another one, which would be of a spoofed site. This site would be a replica that is difficult to be distinguished from the real site. When sensitive information such as passwords is keyed in, such information would end up in wrong hands.

According to a report on pharming by The Radicati Group, a US-based technology market research firm, the easiest way to hack into a DNS is by posing as an official who has the authority to change the domain name destination. "In general, the process of translating domain names into IP addresses is a weak link in the internet," the report says. The DNS system has some inherent vulnerabilities and it is time the system is overhauled, it says.

Besides this common way of pharming, the use of viruses such as Banker Trojan is also happening. In this case, the infected computer would go to a wrong Web site even if the URL appears correct.

Another method is to create a replica with a small change in the URL spelling. Apart from stealing personal data and passwords, some times pharming is attempted to install spyware in machines.

The Radicati Group's report says that about 80 per cent of pharming and phishing attacks are targeted at financial institutions. ISPs (Internet service providers) and some major Web sites are also attacked.

In January 2005, Panix, an ISP in New York, was hit. On April 25 this year, Hushmail, which provides secure e-mail services, also came under pharming attacks. Its domain name was hijacked and users were redirected to a defaced page.

Last year, Google's and Amazon's DNS were also targeted for a brief time, the report says.

Since it could be nearly impossible for a user to make out a spoofed Web site, unless it is badly imitated, there is a view that the DNS system should be discarded and users learn to use the IP address.

This is, however, a difficult proposition. Strengthening the system would be more appropriate a step to keep `pharmers' at bay.

Server side certificates that authenticate Web sites and multiple level identity checks by banks etc for online users could also help. Companies should also ensure that their domain registrar has adequate security practices to avert hacking, the report suggests.

vipin@thehindu.co.in

Article E-Mail :: Comment :: Syndication :: Printer Friendly Page

Stories in this Section
The ball's in the bag

It's not all in the head
Up above the world so high...
A new angle
`This is how I watch films'
Adding music file to e-mail
IT's all about trust
Hidden threat
They say it differently
A monkey moves a robot arm in MIT
Cartoon

The Hindu Group: Home | About Us | Copyright | Archives | Contacts | Subscription
Group Sites: The Hindu | Business Line | The Sportstar | Frontline | The Hindu eBooks | The Hindu Images | Home |

Copyright © 2005, The Hindu Business Line. Republication or redissemination of the contents of this screen are expressly prohibited without the written consent of The Hindu Business Line