Not a Country Sport Any More!
Still relatively unknown concepts, Pharming and Phishing present real dangers to the unaware web user, and are set to become a major avenue of attack in the coming months. Time will pass and eventually, like viruses and spyware, will go past their use by date, will have been overcome by the security experts and detection and prevention techniques will be added to the various Microsoft HotFixes, Anti-Virus and Anti-Spyware programs.
But in the meantime .......
What you will need for this tutorial :
This is an awareness tutorial, their are no specific requirements for this tutorial, but there are recomended programs and techniques involved that you should employ.
No knowledge of the subject matter is assumed, that is the point of this tutorial, to make you aware and to make you take action. This tutorial is rather long, and so I would recomend you putting at least half an hour aside to take in the information . Practical aspects will take no more than 10 minutes.
Step 1 - A bit of background reading
I could, explain in my own words what the heck am I going on about, but first I would like to direct you to a recognised official source of information to gain a bit of background about what Phishing and Pharming are all about.
Once you have read the reports, return here and let's see what measures we can put in place to secure you and your computer from having this happen to you.
Phishing : http://www.wisegeek.com/what-is-a-phishing-scam.htm
Pharming : http://wired.com/news/infostructure/0,1377,66853,00.html
Step 2 - Don't take the bait
Ok, so you've read the reports and you actually came back! Some of you have probably heard of these techniques, but at least you now have this information fresh in your minds. So what can we do, well the first step is pretty obvious, as mentioned in the first report , don't open any suspicious emails, this should be standard practice by now, but it never hurts to re-emphasise things.
A couple of things you can do for those Outlook Express users, this may also apply to other mail programs too. Do NOT use the preview pane when checking your mail, single clicking on an email - even if just to delete it, opens up the email in the preview pane, and thus activates any attatchment and any virus etc that may be part of it - this can be an avenue of attack for changing your hosts file settings in relation to our topic of phishing and in particular - pharming.
First thing to do then, if you have the preview pane active, is to disable it.
With Outlook Express open, goto 'View' and then 'Layout'. In the resultant box, look for and remove the tick in the box next to 'Show Preview Pane' - click 'Apply' and then 'OK' to exit the Layout Box.
Now what happens when you single click on an email is - nothing, it is just highlighted so you can delete any junk or suspicious mail without any fear of infection. To actually open a genuine email you just double-click on the email and the message will open in a new window.
Thats fine, but what if you just don't know if that email actually did come from paypal.com for example, and want to look to make sure. There is a way to check, that is, you check the header information of the email to see who it actually came from.
I have an example ready and just happens to be from 'update@paypal.com' with the message entitled 'Update and verify your PayPal Account***' . Is it or isn't it ? I actually do have a PayPal account - but not registered at the email address from which this email was sent, so alarm bells all round (and if not saved as an example would have been deleted without so much as a goodbye from my index finger).
Heres what to do, right click on the suspect email and select 'Properties' from the menu. A box just like this will appear :-
So far so good, it seems confirmed by the <service@paypal.com> near the top. But this information can be altered by providing false header information, so we go just a little deeper.
Click on the 'Details' tab of this box and we get some more vital information as to whether this email is genuine or not.
Straight away I have circled offending information, Received from: reveals not PayPal (not even PayPals owners Ebay) but a foreign address that confirms that this email did NOT in fact originate from PayPal but some dodgy organisation or individual that has a Taiwanese domain - cacart.cac-art.com.tw . This is the source of the email sent to me, and may not be the original source, but rather these could be an infected email host (details for that another day!) .
We needen't go any further with this, but we will - just to show you something else that you may find useful.
Click on 'Message Source' and the source code of the email will be revealed - including the contents of the message, but without the nasty payload of a virus or trojan that could be attached. For those familar with HTML markup, I include just a tiny section of this message source.
<TR> <TD><IMG height=10 src="C:\Documents and Settings\cima\Desktop\http://images.paypal.com/en_US/i/logo\pixel(1).gif" width=1 border=0></TD></TR> <TR> <TD><SPAN class=ppem106>Never</SPAN> give your password to anyone and <SPAN class=ppem106>only</SPAN> log in at <A href=" http://203.208.167.135/.paypal/login.html" target=_blank>https://www.paypal.com/cgi-bin/webscr? cmd=login-run</A> . If anyone asks for your password, please follow the Security Tips instructions on the PayPal website. </TD></TR>
Without going into great details here, the above tells me a few things - remembering that I have not even opened this email properly. First, the email writer uses PayPals own images in the email to make it look more genuine, then it uses an IP Address string as the actual reference address that an unwitting user would end up at instead of PayPal.com, lastly it disguises this fact by then revealing a genuine PayPal address for the link information.
See the 'Want to know more' section if you want to go even further than we have already and check out that IP address for extra confirmation of this emails falseness. For now we go back and concentrate on a pharming prevention method.
Step 3 - Pharmers demand more, hosts say no!
As mentioned in the second article introduced to you at the beginning of this tutorial, targeted pharming involves altering a file on your Windows system - the hosts file. The hosts file is there mainly for internal networks (and also used by programs such as Kazaa) for resolving IP addresses to actual domain name values. A pharming attack would add an entry to this file and use it to redirect you from a genuine address to one they have set up on their own servers.
For instance, suppose you do your online banking with Barclays Bank. The website of Barclays Bank is 'www.barclays.co.uk' . From there you would use the online banking login login link to make some transactions. On a compromised system, you could in fact be redirected to a fake copy of the barclays bank site, where you would reveal your login information, username and password etc. You typed in www.barclays.co.uk and indeed it still says this in the address bar - but you might not be there!
Lets test this theory shall we - proof is in the pudding after all.
Open up a command prompt (Start > Run > cmd) and then 'ping www.barclays.co.uk'
. The ping will more than likely fail, a lot of servers these days
have disabled or refused pings, but the ip address of barclays bank
website will still be revealed. And that is 193.128.3.187 - we can
confirm this by typing in http://193.128.3.187 into our web browser,
no surprise then than the barclays site appears , all we have done
is bypassed the DNS system.
Now, lets do what a pharming attack would do, and alter our hosts file. Just to confirm for the cautious, this is just a test and not harmful in any way!
Locate and open in Notepad your hosts file, it should be in the C:\windows\system32\drivers\etc\ folder.
just below the line which reads :-
127.0.0.1 localhost
add another 2 lines which reads :-
203.17.185.55 barclays.co.uk 203.17.185.55 www.barclays.co.uk
Save and close or minimize the hosts file. Make sure it is saved just as 'hosts' with no extension.
Close any browser windows already open with the Barclays Bank website and then open up a fresh browser window. Now try to go to the Barclays website by typing in the address bar either http://barclays.co.uk or www.barclays.co.uk and see what happens.
What's that, the Commonwealth Bank of Australia !!, that's not Barclays !!
Well, no, and it is deliberate on my part that the site being re-directed to was completely different to the Barclays site. In reality , a hacker wanting to deceive you of your login username and password, and ultimately your money, would have created an EXACT copy of the Barclays website and hosted it on his/her own server, then re-directed you there instead. Note that there will be no tell tale signs - even the address bar still says 'barclays.co.uk' in it so you will not be able to tell the difference.
Before we revert our hosts file to its original state lets see what we can do to bypass this scenario if it ever occured to you.
Step 4 - David, Neil, Sally - whats in the name
Maybe not such a cryptic title for this step, but clues were given earlier in the tutorial about how to be sure you are going to the right site, and that it is indeed your bank you are giving your details to. Use the IP address directly and bypass the DNS system. This will ignore our infected hosts file and also the wider DNS name servers on the internet.
So, going back to the web page you have open that contains the Commonwealth
Bank , delete www.barclays.co.uk from its address bar and replace it
with the barclays IP address instead - http://193.128.3.187/ . Now
you can be sure that is the real deal.
The next step in prevention is to make your hosts file 'read only' so it can not be altered unless you change it back again. Anything that tries to do so we fail and possibly a 'Save As' box will appear instead, alerting you that a change to your hosts file is being attempted.
For those that have Anti Spyware programs installed, such as Microsoft AntiSpyware/Winows Defender, an attempt to change the hosts file is detected and you are alerted to this fact by a pop up info box. Obviously, deny any change attempts and get the AS software to remember that action.
Before you put those security measures in place, remove the two entries that I asked you to put in earlier. Save the hosts file, right click on it, select Properties and tick the 'read only' box.
Summary
With your hosts file reverted to normal, typing in www.barclays.co.uk should now open up correctly at the proper site.
I hope that has provided you with sufficiant warning of a couple of the worlds most popular up and coming avenues of attack.
Put the above measures in place, use your banks (or wherever you are making an online transaction) IP address in the web browser address bar (create a shortcut to your desktop afterwards) whenever you make any monetary transactions.
Want to know more?
Step 2 introduced you to peeking into the header and source of a message to reveal critical information that can determine the authenticity of an email. Within that information was an IP address of which the email was hoping the user would click on its link. There is a series of articles regarding Firewalls on the miniTutorials site, some of which details how to find the owner of an IP address and what to do about it should you be inclined to report the offender.
The specific area of interest can be found at http://www.minitutorials.com/firewalls/utb_part4_1.shtml
