Dave, I think I finally figured out what phishing is, and who the phish are, but I just bumped into another term, pharming, and was hoping you could explain it so I could figure out how they differ?
Nicely asked question! The “phish” in phishing, are us. (is this related to the famous line “we have seen the enemy, and he is us?”). Phishing is when a scam artist sends out a fake email message purporting to be from a legitimate financial organization like Paypal, eBay, Citibank, Wells Fargo, etc. They can be 99% legitimate messages, with the right logos, right paragraphs of information, and even what appears to be a completely legitimate URL for you to click so you can update your financial information before your account is closed (or similar).
Look at it more closely, though, and you’ll find that while the message may show you the URL security.wellsfargo.com or cgi3.ebay.com or similar, the actual link you would be taken to is on a completely different server, often just a mysterious set of four numbers that comprise an IP address. Any email program worth its salt will show you the destination of an embedded link before you click on it, so look for that feature and double check before you click.
If you do click and blindly try to log in, you’ll find that while you entered the right account and password pair, your login fails for some mysterious reason and you’re asked to log in a second time, at the real site, without ever realizing that the first login was stored on the scammers site, ready for them to masquerade as you whenever they please.
So that’s phishing. I’ve written about phishing here before, too.
Pharming is a new one to me too, and it’s the bigger, more aggressive version of phishing. Imagine that you got a virus on your computer and automatically, every time you did a DNS lookup for the Washington Mutual site, it actually and deliberately handed out a bogus IP address instead, a fake site that was set up to look like the real site, but actually was a phishing ‘mockup’ of the real thing.
Now imagine a virus that’s smart enough to only return that spurious result for a dozen queries, or one day, or a similar finite amount of time. When you realize something was peculiar and go to investigate, all traces are gone and you have no way of knowing if you were really scammed or not. Scary, eh?
The most heinous of these pharming scams is through what’s called DNS poisoning, where a hacker actually gets into the legit DNS (DNS = domain naming system, by the way, it’s how names are mapped to addresses and it’s a critical underpinning of the Internet and Web) and hijacks a domain name.
Realize that one of the standard ways of avoiding phishing attacks won’t work with a pharming attack: if you get email from eBay warning you to log in and update your information so your account isn’t frozen, you can easily just type in “www.ebay.com” in your browser and know that you’ll go to the real site. But if your local DNS lookup or – worse – a DNS server somewhere up the query chain is corrupted, even typing in the right domain name can lead you to a fake, bogus, criminal site.
It’s almost enough to make you want to do everything by FedEx, isn’t it?
The solution? There are a number that are being considered, but like many other spam and online scam techniques, it’s really a mutually destructive arms race, just like those glorious paranoid days of the Cold War.
You can learn more about pharming at this article at WIRED. I hope that helps.
I just wish we could ban all these lowlifes that are corrupting the Internet and causing us to waste so much effort…
Pharming is a lot harder to pull off nowadays with DNSSEC.
Perhaps Phishing and its cousin Pharting are what we should focus our efforts at preventing.