Don't Let Your Users Buy the 'Pharm' Blocking Pharming Schemes Lyne Bourque
Hosts Files
The last form of pharming is one where the hosts file on the system is altered. Every machine that uses the TCP/IP protocol has a historical hosts file. Prior to the use of DNS servers, hosts files were used to resolve the name of a machine (i.e. www.winplanet.com) to an associated IP address. Back in the early 80s when the internet was rather small, it made sense. Today, with millions of machines, it's unwieldy.
However, the hosts file does have some advantages for today. If, for instance, you've ever wanted to get rid of ads, you can use the hosts file to resolve common ad servers to localhost (127.0.0.1). This can be found pretty much anywhere online and can be part of your user's image.
Attackers, however, can use the hosts file to resolve a common e-commerce site (say, American Express) to an address of their choosing (say, imphishingformoremoneytospendelsewhere.com). While it will apparently resolve as AmericanExpress.com, it will actually be served up by the attacker's fraudulent website. This file alteration is done when the user clicks on the link provided.
An Administrators Guide to Blocking Pharming Schemes
So with all that said, how can an enterprise defend against pharming attacks? More importantly, should an enterprise defend against them? Well, let's deal with the first question and we'll end with the second.
There are a variety of tools out there, but nothing, and I mean NOTHING, beats education. Educating your users so they understand the risks and how to deal with these threats is half the battle. As I write this, apparently a new form of phishing is making the rounds.
Accounts that were already compromised are being used to get further information from users. An email arrives with the user's credit card or ATM card number on it. The email asks that the PIN be updated on the website linked in the email. I was rather surprised to see one site suggest that a solution is to not click on the link but to instead visit the website. That's not the solution. The solution is to call the bank and/or visit the bank in person. There are some things that shouldn't be done online. This is one example.
And what should your users be educated about? Basically a reminder that companies shouldn't ask for personal information via email or other insecure channels. They should call the company from a phone number published in the phone book rather than online from a website (who knows, it might be a pharmed site) to verify that the financial institution does, in fact, need the requested info.
But this only protects users to an extent. The rest can be done with a little bit of technology and diligence on the part of the administrator.
First, implement perimeter-level checks. That is, when users go out to websites, malware should be prevented from running. This process should be transparent to the user. Additionally, you may want to use firewall blocks on certain address types or locations. This is obvious stuff but worth mentioning.
You can also add further similar support with logon scripts that put "custom" hosts files on user desktops. These hosts files (a Google search for "ad-blocking host file" can help you find some "prefab" ones — you can add more sites as you discover the phishing sites — that will help limit the effectiveness of both the spyware and malware types.
Secondly, implement internal email checks. These are more commonly found in the form of spam filters. Many utilities and/or applications exist that will deal with spam, phishing, and other activities.
Third, check your DNS servers regularly. If you think something is suspect, make sure that you flush out the DNS cache. On a Windows DNS server try the command .dnscmd.exe /ClearCache. In BIND 9, you can run rndc and then type flush. BIND 8 will need a restart. For local Windows desktops, ipconfig /flushdns is one way to clear out their cache. This last one could be part of a log-on script.
Now the last possible way to deal with pharming may be to go to a company like Anonymizer. Anonymizer has been around for quite a while (since 1996). A lot of what they do deals with privacy of individuals. However, they do have a VPN appliance, Chameleon, that may have some benefits in dealing with pharming issues, amongst others.
By going through their network, you are mitigating, to a degree, the potential impact of a pharming exercise on your own network. They are presently partnering with another company to ensure that they have an updated list of phishing sites (every 15 minutes) as well as maintaining secure DNS servers that their proxies go through. What this means is that rather than you going through all the work of finding out which sites are phishing or being pharmed, they do that work for you.
So why would a company be worried about all this stuff? I mean, this is just a personal issue, right? This shouldn't be a FUDing exercise ("FUDing" defined as encouraging Fear, Uncertainty, and Doubt), but rather, being more aware of the issues going on. Employees that get caught in some of these will then spend their time trying to deal with it and using corporate resources (e.g., phone, time, etc.) to get it resolved.
Additionally, there's nothing to say that you may have a competitor or two with some questionable ethics. This would be certainly one way to mine more information about your company and the people that comprise it. For example, if they know that half the employees deposit their checks at HomeGrown Pink House bank, then creating a spoofed site for them to visit and install some type of keylogger opens up your internal network in ways that can prove dangerous for your data. Diligence and education will help deal with this.
This whole thing started with a quote about the fact that we should distrust email. At this point, I'm sad to report, we should distrust nearly everything about the internet. And truly, it's a shame. We need to bring trust back and make it a trusted, secure platform for ecommerce, research, and entertainment.
By ensuring that we don't have to worry about where our employees go, whether for personal or business-related activities, then we also ensure that they can relax and enjoy their work.
