About Pharming
Pharming attacks misdirect consumers to fraudulent websites, typically through DNS hijacking or poisoning. In a pharming attack, the consumer types in the correct website address but instead of reaching the real website, the browser goes to the fraudulent website.
DNS hijacking or poisoning is a process in which DNS entries for the attacked website are modified, so that the website’s URLs are translated into bogus IP addresses. For example, the fraudster might change the DNS entry for www.yourbankhere.com from 67.15.245.243 (the real IP address of this website) to 67.15.243.236 (an IP address of a fraudulent website that impersonates www.yourbankhere.com). When the consumer tries to access www.yourbankhere.com, the browser resolves the IP address of this website. Since the DNS tables were tampered, the resolving will return the address 67.15.243.236, and the consumer will be directed to the fraudulent website. The consumer will not see any change in the URL (i.e., the address will still be "www.yourbankhere.com"). For this reason pharming attacks are difficult to detect.
An unauthorized change of DNS entries can be achieved in many ways. For example, the fraudster can hack into a DNS server such as the DNS server used by the consumer’s ISP or hack into a wireless router and change entries there. Another common method is by modifying the "hosts" file on the consumer's desktop. This file, containing a local set of URL-to-IP address translations, can be changed by a malware to direct the consumer to the IP address of the fraudulent site.
Sample Attacks:
DNS hijacking or poisoning is a process in which DNS entries for the attacked website are modified, so that the website’s URLs are translated into bogus IP addresses. For example, the fraudster might change the DNS entry for www.yourbankhere.com from 67.15.245.243 (the real IP address of this website) to 67.15.243.236 (an IP address of a fraudulent website that impersonates www.yourbankhere.com). When the consumer tries to access www.yourbankhere.com, the browser resolves the IP address of this website. Since the DNS tables were tampered, the resolving will return the address 67.15.243.236, and the consumer will be directed to the fraudulent website. The consumer will not see any change in the URL (i.e., the address will still be "www.yourbankhere.com"). For this reason pharming attacks are difficult to detect.
An unauthorized change of DNS entries can be achieved in many ways. For example, the fraudster can hack into a DNS server such as the DNS server used by the consumer’s ISP or hack into a wireless router and change entries there. Another common method is by modifying the "hosts" file on the consumer's desktop. This file, containing a local set of URL-to-IP address translations, can be changed by a malware to direct the consumer to the IP address of the fraudulent site.
Sample Attacks:
How Rapport Protects Against Pharming
Using its delivery confirmation layer Rapport strongly authenticates the website when the browser is accessing it. Rapport guarantees that all the information is exchanged with the real website and not a fraudulent website.
Rapport protects against all pharming attacks including attacks that compromise the consumer’s desktop as well as attacks that compromise external DNS servers. When a pharming attack occurs, Rapport prevents the consumer from connecting to the fraudulent website and diverts traffic to the real website.
Rapport protects against all pharming attacks including attacks that compromise the consumer’s desktop as well as attacks that compromise external DNS servers. When a pharming attack occurs, Rapport prevents the consumer from connecting to the fraudulent website and diverts traffic to the real website.
Other Approaches to Pharming Protection
Other solutions to pharming require the consumer’s attention when accessing a website. The most well-known example of this approach is Extended Validation (EV) certificates (www.microsoft.com). New browser versions identify the use of EV certificates and color the address bar green each time an EV certificate is presented by the website. Consumers are supposed not to enter sensitive information such as usernames and passwords into websites that do not present a green address bar. Unfortunately, research shows that it is unwise to rely on consumers as most of them would enter sensitive information even if the address bar is not green (jackson.pdf).
