PHARMING

• What is Pharming ?

You must be well aware of phishing and its potential to cause damage. In phisihing you are being spammed with malicious deceiving e-mail requests for you to visit spoof Web sites which appear legitimate.

Pharming on the other hand poisons a DNS server by infusing false information into the DNS server, resulting in a user’s request being redirected elsewhere. Your browser, however will show you are at the correct Web site, which makes pharming a bit more serious and more difficult to detect.

Pharming is a derivate from phishing. Both use “ph” instead of an “f” and are part of a computer slang.

• What is DNS :

The Domain Name System (DNS) is a hierarchical naming system, which translates human-friendly computer hostnames into IP addresses. For example, www.example.com translates to 192.0.32.10.

• DNS Poisoning :

Pharming attacks do not take advantage of any new technique. They use the well known DNS cache poisoning, domain spoofing and domain hijacking techniques that have been around for quite long.

1. The hacker hacks into the DNS server and changes the IP address for www.nicebank.com. He put the IP of www.n1cebank.com (Hacker’s site).

2. User wants to go the website www.nicebank.com and types the address in the web browser.

3. User’s computer queries the DNS server for the IP address of www.nicebank.com.

4. Since the DNS server has already been poisoned by the attacker, it returns the IP address of www.n1cebank.com to the user’s computer.

5. The user has now been fooled into visiting the fake website controlled by the attacker rather than the original www.nicebank.com website.

• Host Redirection :

The hosts file is a computer file used in an operating system to map hostnames to IP addresses. The hosts file is a plain-text file and is traditionally named hosts.

Location: %SystemRoot%\system32\drivers\etc\


Add an entry at the bottom where it says : 127.0.0.1 localhost

66.102.9.147 www.myspace.com

What it will do is redirect the person from myspace website to ip 66.102.9.147 which is the ip for google.com.

Thus the attacker can manipulate the IP and take the victim towards any fake website.

• Prevent Pharming :

1. Pharming Conscious web sites that use forms to accept passwords or other sensitive information ensure that the page that contains the form itself is served using HTTPS.

2. If you visit an SSL-enabled website, look out for this warning message window. If you get it, doubly check if the website you are visiting gave this message in earlier instances. Check if the URL is the same that you intend to go to.

3. SpoofStick is a simple browser extension that helps users detect fake websites. This tool is free and installs itself into your browser. It’s available for firefox and internet explorer. For more information go to Spoofstick.



Happy Hacking...Enjoy...

For educational purpose only...Do not misuse it...