Pharming and Phishing

Overview

Pharming is an attack in which the attacker sets up a clone of your site and tries to trick your legitimate visitors into visiting it. Once there, the attacker will capture the user’s login details and other information entered. This information can then be used to give the attacker access to your site, etc. Phishing attacks are those in which the attacker actively entices users to follow a link to the attacker's site, give up login information, or take some other action which benefits the attacker (e.g. by placing links in spam email messages). As Ross Anderson asserts in his talk, Searching for Evil, phishing attacks cost about 35 million pounds in the UK and an estimated $200 million in the US in 2006.

What makes a site vulnerable?

All sites are potentially at risk of pharming and phishing. The nature of the Internet makes it very easy for an attacker to produce a site which looks identical to yours. Note that a site vulnerable to cross-site scripting and similar attacks may be used to host phishing links or to act as the pharming site itself.

One specific vulnerability which enables phishing attacks is the existance of an 'open redirector' page. An open redirector page is one which redirects to any webpage whose URL is passed as a parameter to the page. Such pages provide sites with useful functionality, such as the ability to track the number of times a link to an external site is clicked. However, a phisher can use it to trick users into visiting phishing pages while having them believe they are using the website they trust. This works because the phisher can create a link to a URL such as http://www.yoursite.com/redirect.php?url=http://www.phishingsite.com which appear to the unsuspecting user to be a page on your site (as the URL starts www.yoursite.com). The link if followed will then redirect to the phishing site which will be made to look like a page on your site (and will perform some malicious function such as gathering user login credentials).

Phishing attacks are also possible on sites with cross-site scripting and cross-site tracing vulnerabilities. This occurs because the vulnerabilities allow the attacker to insert control the content of pages served by your webserver to the user and therefore add malicious content which performs the phishing attack (e.g. a fake login box).

Impact of the attack

Pharming, with help from phishing, can be used by an attacker to gather login details for your site. This can lead to user account compromise. It may also be used to gather information on your users such as email addresses, credit card information, etc. Such information could be used to defraud your users or to target them competitively.

Preventing the attack

Technologically, there is not too much you can do to your site to protect it from pharming and phishing. However, there are steps you can take to reduce your user’s exposure to pharming sites. By including unique phrases in your site, you may be able to find pharming sites by searching on these phrases. You may be able to then shut these sites down by contacting their ISPs. Alternatively you could search for all links into these sites and request that the linking sites to remove the links or redirect them to your legitimate site. You could also attempt user education by informing your visitors of the need to check the legitimacy of your site’s URL each time they visit, and not to trust links in unsolicited emails. Another strategy to make pharming harder is to purchase URLs which could be interpreted as something like your site, in order to prevent pharmers from using them.

For phishing, raising user awareness and providing users with a consistent user experience not easily replicated in a scam are some of the best defences. This can include: