Get Protection Against New-Generation "Pharming" Attacks

The next generation of phishing attacks--otherwise known as pharming--has arrived. Pharming incidents rose 6 percent between May and June, says the APWG (Anti-Phishing Working Group), an industry association dedicated to studying phishing issues. This increase exacerbates an already alarming problem: Identify theft, which pharming helps perpetrate, was the top fraud-related complaint last year, according to the Federal Trade Commission, inflicting an estimated $5 billion to $50 billion in damages.

Unlike phishing, pharming--another name for domain spoofing--doesn't require the user to be duped into divulging personal information with the click of an e-mail link. Pharming takes Web requests and redirects them to a fake but legitimate-looking site or proxy server that downloads keystroke logging applications for the purpose of pilfering personal data (see "Pop-Up, Go the Weasels").

Typically, pharmers target large financial institutions, such as Bank of America, Citizens Bank and Wells Fargo. But the APWG has found that pharmers are also going after regional and niche credit unions that have well-to-do members and laxer security. Nonfinancial organizations such as AOL, Microsoft, the FBI, the Internal Revenue Service and large universities have all recently been victimized by pharmers and phishers.

Pharming, like phishing, takes advantage of users' trust in the application and data they're seeing. In phishing, users formulate a decision about a message's validity based on the address in the from field of the header, as well as the message content, which often looks true to life. With pharming, things get even messier. Just verifying the URL in your address, status or title bar won't do much good. From a user's perspective, the pharmer's URL and actual site look normal.

So how do organizations protect their employees and Web sites from pitchforked pharmers?First, site owners need to stop distributing e-mail messages that contain links for customers to click on. Phishers and pharmers rely on this common practice because customers are used to it. Instead, site operators should require stoppage of embedded e-mail links and instruct customers that they'll need to type in a URL to visit a site. This is a tall order, as we're attempting to break conditioned responses, but we really don't think it's much harder to type, say, www. bankofamerica.com than to click on a link. Site admins also must devise and convey a policy that they won't ask users to change passwords or verify accounts by e-mail.

If you discover that your users have been victimized by phishing or pharming, report your findings to the proper authorities and to groups like the APWG. And whenever they're in doubt, be sure your users call a company before transmitting data, just to verify the authenticity of an e-mail message or Web site.