Pharming: Old Trick Gets New Name


Pharming is also known as DNS spoofing and DNS poisoning. The Pharmer tricks your browser into sending the real URL (the human readable address) you type in to a real IP address (the computer code address) that is not supposed to go with that URL. In other words, if you type in http://www.mybank.com which is supposed to send you to your banks IP, your browser is tricked into sending you to the IP address of the bad guys page - which is constructed to look exactly like your banks page.

DNS spoofing has been around at least 10 years. The massive increase in ecommerce has some people concerned that it will be used to steal identifying information such as social security numbers, credit card numbers and user id's and passwords. That is a real possibility. In the last few years that have been a couple of cases of large scale DNS spoofing, but none resulted in identity theft. The concern about pharming isn't the scale of problem it is becoming, but the difficulty of protecting yourself against it if it happens to you at all. Unlike phishing, looking at the URL in your address bar will not tell you that you're being pharmed. If the site you are trying to go to uses security certificates (most financial sites should), a simple check for the https or the lock icon on your browser will give you a clue about the pages authenticity. It's unlikely that a pharmer would have a valid security certificate.

There are three main methods a potential pharmer will use to trick your browser:

1. Replace the hostfile on your computer with one he has created.
2. DNS cache poisoning, or changing the URI/IP address connection in the DNS server.
3. DNS hijack - pretending to be the domain owner and having the address pointed at their servers.

DNS spoofing is hard for the enduser to detect or protect against. Fortunately it's fairly uncommon, and difficult enough to do that it will probably remain uncommon for a while. There have been a couple of cases of large scale DNS spoofing in the last couple of years, but none that have involved the theft of finances or identity - or at least none that have been reported. All of the reports I've been able to find involve cases over a year old, and security experts are not exactly unanymous on their opinion of the risk pharming poses. Most do agree that the DNS system was never intended for the use it's seeing now, and that it needs to be seriously revamped or done away with before there are any serious incidents. At this time it seems that pharming is more a potential threat, but one that needs to be stopped before it becomes a serious, active threat.