Last week, we wrote about what Pharming is. This post talks more about why it's not as big a problem as some people believe. It examines the reasons in more detail, and provides some actionable recommendations for organizations.
We also take the lazier banks to task for not doing more to protect their customers from phishing and pharming attacks.
The fundamental reason that this isn't as big a problem as some believe is that it's not a new problem. In other words, we're not starting from ground zero. It's not like the phishing problem, in that respect.
In the last post, we said that this sort of malicious web redirection can happen in three main ways:
- DNS Hijack: a social engineering attack on the Internet
infrastructure. Criminals pretend to be the domain owner and have the
bank's name re-pointed to their servers. - DNS Poisoning: as above, but a technical attack, taking advantage of possible bugs in the DNS.
- Malware: a virus, worm, Trojan, or piece of spyware could
redirect traffic, usually by writing to the Hosts file, thus
circumventing the DNS altogether.
Here's why we needn't worry too much about each of these:
- There were two high-profile DNS hijacking cases recently: suffered by Panix and eBay Germany. Neither of these cases would have happened, if the correct, standard procedures had been followed by the respective domain registrars. The very fact that they did happen has caused domain registrars the world over to more carefully follow existing procedures.
- DNS poisoning relies on hackers finding security holes in the DNS infrastructure. Such potential security problems are rare, and tend to be quickly fixed. The weakest point is likely to be local DNS caches in firewall products. Organizations using such features should ensure that they have processes in-place to ensure that they are always up to date with security patches.
- Most organizations and individual consumers now recognize the need for anti-virus scanning. Increasingly, they are also recognizing the need for anti-spyware scanning. Such scanners mitigate the malware risk. Organizations without a strategy to filter all types of malware (not just classic viruses) should develop and implement one.
Finally, and perhaps most importantly, we should also examine the security of the banks and other websites that pharming and phishing seek to attack. For example, a surprisingly large number of banks still rely on a simple username/password combination; many of them claim that users will not accept the additional burden of stronger authentication methods. We say that this is a lazy and complacent attitude.
Our recent report, Phishing: What To Tell End-Users included several other recommendations for banks and other websites, to help them phoil phishers.