Pharming Attacks - Protect Your Company s Reputation

Pharming Attacks - Protect Your Company s Reputation Let s suppose that you ve just invested a large chunk of your marketing budget on pay-per-click and local radio advertisement to drive traffic to your Company s website. Over the next few days your Web Stats indicate a 150% increase in hits and a 75% increase in visits. Your conversion rate, however, has dropped to zilch and you notice that the average visit lasts from 0-15 seconds. Update your anti-virus software and navigate to your home page immediately... You have probably been Pharmed. Pharming isn t new. It combines a mix of threats such as spyware and viruses, plus more arcane activities such as domain spoofing and DNS poisoning. One example- A user receives some kind of malware, (virus, worm, Trojan or spyware), from a spam Email that rewrites local host files, (files located on the user s machine that convert URLs into the number strings that browsers utilize to locate and access websites). Then, when the user types a legitimate URL into the address bar, their browser is misdirected to a bogus website that is an exact duplicate of the site that they intended to visit. The typed URL in the address bar, however, has not changed. Then the phishing begins. Victims believe they are submitting their personal information to the Web address indicated in the address bar, but are actually submitting it directly to the bogus site. These attacks are usually directed at banking and on-line merchant sites where criminals can track activity and gather credit card data and personal identification numbers. Destroying Your On-line Reputation One type of pharming attack that is becoming more common doesn t involve phishing or bogus web sites, at least not at first. The attack is designed to eliminate the need for criminals to spend their time broadcasting mass spam emails in order to launch their malware. Once an attacker has poisoned your site, every visitor to your home page will immediately be redirected to a server(s) that will deliver malware to the visitor s hard drive. If you receive a large number of visits on your site, this could have an extremely negative impact on your company s on-line reputation and on your bottom line. Pharming attacks are no longer exclusive to banking and on-line merchant Websites. If you operate a site that receives a large number of monthly visits, your site is a prime target for this type of attack and the attackers thrive on our complacency. My own complacency recently resulted in one of my domains being attacked this way. The attack consisted of five iframe launch tags that mysteriously appeared at the bottom of my home page after the tag. On the same afternoon as the attack, (indicated by my RAW access log), I navigated to the targeted home page and my browser was immediately redirected to five different Web servers in less than ten seconds. My anti-virus software went ballistic. As my browser hit each server, a Trojan was delivered to the C:Documents and SettingsJC HurstApplication DataSun directory on my machine. Due to the fact that I navigate to each of my domains daily, (not logging into the web servers, but actually visiting each site), I was fortunate enough to discover the attack and was able to remove the malicious script from my home page. The Trojans, however, were a different story. They had installed several keyloggers and JAVA based script generators on my machine. My anti-virus software identified each Trojan, but the malware had done so much damage to my registry that it couldn t clean, quarantine or remove it. It took me four days to completely clean and remove it from my machine and to repair my registry. Pharming Prevention A non-technical pharming/phishing prevention method involves a simple site validation procedure. When you visit any banking, merchant or on line auction site to login, initially enter a correct username with an incorrect password. If it s accepted then the site is bogus. If rejected, enter the correct password. As an additional measure, once you are successfully logged into your account but before entering any personal information, review your existing account information. If it is incorrect or not available, the site is bogus. A combination of procedural and technical methods can be utilized to combat pharming attacks. Just as pharming is more technically difficult to pull off than phishing, it s more technically complicated to protect against. After days of research on this topic, the following methods have been implemented on six of my sites and according to my RAW logs they have been quite successful so far: Utilize strong passwords for all of your Web, network and computer logons, especially the Administrator account on your PC. For more information on creating them, visit Microsoft.com and search for Strong Password. Disable directory listing on your site from your Web server control panel. That way if a visitor requests a web address that is a directory and the directory does not contain a default file to display, (index.html), they will receive a 403 Forbidden error message. Enable SSL administration sessions from your Web server control panel. Restrict administrative sessions to the IP addresses or ranges that you utilize to manage your site from. Block potentially threatening IP address ranges from your Web server. A vast majority of the servers that are utilized in phishing and pharming attacks are later discovered to be located outside the United States. Your Company probably doesn t sell much product to folks in Russia or Kazakhstan. If your Web server control panel doesn t provide you with an IP address block option and you run Apache you can utilize the .htaccess file to block them. (WARNING- If you publish your Web pages with Microsoft FrontPage, don t utilize this method. FrontPage server extensions utilize the .htaccess file and altering it will disable them). To block a single address: order allow,deny deny from 127.0.0.1 allow from all To block multiple addresses: order allow,deny deny from 127.0.0.1 deny from 127.0.0.2 deny from 127.0.0.3 allow from all To block an entire range of addresses: deny from 127.0.0 To block IP addresses or ranges you must first know what they are. I have uploaded a 22MB .zip file containing the most current IP-to-country-code listings available. The file can be downloaded at: ZieglerSuperSystems.com/IPCODES/ipcodes.zip Place controls on DNS servers, such as a host-based intrusion detection system, to prevent visitors from inadvertently participating in a pharming attack. Snort® is an excellent open source network intrusion prevention and detection system that utilizes a rule-driven language. It combines the benefits of signature, protocol and anomaly based inspection methods. Best of all, it s free. To learn more about Snort® visit snort.org. Ramp up education efforts aimed at local business interests such as the Chamber of Commerce and civic organizations, (Kiwanis, Rotary, etc.), and especially for smaller local companies that may need help in dealing with a pharming threat. Be prepared to have Internet service providers quickly shut down malicious sites that are set up for pharming. Consider moving ahead with plans for stronger authentication technologies that control access to systems that could be targets of pharmers. Follow developments such as the progress of the DNSSEC, (DNS Security Extensions), standards and ensure that your Company s ISPs have the proper controls on their DNS directories and servers. To learn more about DNSSEC visit dnssec.org . Join the Open Web Application Security Project. The OWASP Foundation is dedicated to finding and fighting the causes of insecure software. Membership and access to all site resources is free. To learn more about OWASP visit owasp.org . J.C. Hurst is the IT/Internet Marketing Director for The Ziegler Corporations located in Atlanta, Georgia You may contact J.C. at: jchurst@zieglersupersystems.com