On Monday 21 March 2005 7:51 am, Ted Harding wrote:
Hi Folks,
I've just read a Guardian article this morning about the "pharming" scam -- unlike "phishing" where you click on a real-looking URL in an email, with a false one hidden behind it, this depends on a rogue program infiltrated into the computer which re-directs a genuine URL to a false address which then mimics the real one. See:
http://www.guardian.co.uk/online/news/0,12597,1442474,00.html
Nasty, but really if you are going to use a machine for online Banking then you need to be 100% sure that it has/has had no malicious software on it first. Actually this "rogue program" sounds to me a lot like something as simple as a malicious script that modifies the hosts file, would that not achieve exactly the same thing ?
I would have thought the simple solution was for people just to use the IP address, e.g.
http://155.136.80.71/EbankLoginStuff
instead of
That would work right up to the point that the site you want to visit is using virtual domains, then you are a bit stuck. Really what you should be doing is looking at the SSL certificate and checking that it is properly signed for the site you were intending to visit.
What really needs to be done to fix this (on the windows platform and assuming that it is hosts file poisoning) is to make the hosts file unwritable by anyone other than admin....ahh but wait most users run with admin rights don't they, so what we need to do is have a registry key that disables the hosts file...ahh but users with admin rights can run stuff that edits the registry.
So the problem is either a, users who are running as administrator (or something with the same rights) or b, shoody software/os design that makes/encourages people to do this.
The other nasty thing about this one is that once infected, the pharming is effective regardless of what browser you are using...however I bet there is only one browser that lets you get infected in the first place.
Of course the other thing pharmers may do is go for a badly secured DNS server at an ISP, why bother attacking local platforms when you could redirect 1000's in one go, and that would get the Mac and Linux users too.
W