T 5.157 Phishing and pharming

Phishing

Phishing is a combination of the words "password" and "fishing" and refers to attacks where passwords, credit card data, or other confidential information is elicited from users. To accomplish this, methods of social engineering in combination with identity theft are frequently used. For example, the attackers send cleverly worded e-mails to the users.

If the victim believes he/she knows the sender and considers him/her trustworthy, in most cases the victim will also consider the e-mail trustworthy and carry out the steps described in it, for example, open a link or attachment included in the e-mail.

Other forms of phishing use specialised malware which is sent directly to the users or placed on the victims' computers by indirect methods.

Example:

• Many online banking users received e-mails that apparently came from the Service department of their bank. In the e-mail, they were informed that, due to changes to the services, they needed to log in to the web site specified using their standard banking password and enable the new services using a TAN. The web site looked authentic, but had nothing to do with the bank mentioned in the e-mail. Instead, the web site was prepared by attackers and placed on the Internet. The only purpose of the web site was to enable the attackers to collect access data to other people's accounts.
  
  Similar attacks have also been conducted on the users of popular eCommerce and auction web sites.

Pharming

Pharming refers to the manipulation of the name resolution of Internet domain names in order to divert client accesses to forged servers. For example, this can enable an attacker to make a forged web site be displayed in the victim's browser instead of the actually requested site. The pharming approach is based on phishing. The term "pharming" is derived from the words "phishing" and "farming".

From a technical point of view, there are several ways the attacker can achieve the manipulation of the name resolution, for example:

• Attackers can forge DNS information on DNS servers by exploiting vulnerabilities or faulty configurations.
• Attackers can insert false DNS information in DNS caches (DNS cache poisoning).
• Malware can be used to modify the "hosts" file on the client.
• Unauthorised changes to the configuration of routers can be implemented, for example, if the passwords of the devices are weak.

By means of pharming, an attacker could assign the IP address of a false server to the computer name used for an internet banking server and then redirect requests from the user to this server. In many cases, the web sites created on the false servers for such attacks are visually identical to the original web site, and so the users do not become suspicious.