The sky is falling! The sky is falling! ...or is it?

What is this thing called “pharming”? Put simply, it’s redirection of web traffic, so that the server you think you’re talking to actually belongs to a criminal. For example: you think you’re talking to www.examplebank.com because it says so in the browser’s address bar, but actually you’re connected to www.mafia-R-us.ru.

This can happen in three main ways:

1. DNS Hijack: a social engineering attack on the Internet infrastructure. Criminals pretend to be the domain owner and have the bank’s name re-pointed to their servers.
2. DNS Poisoning: as above, but a technical attack, taking advantage of possible bugs in the DNS.
3. Malware: a virus, worm, Trojan, or piece of spyware could redirect traffic, usually by writing to the Hosts file, thus circumventing the DNS altogether.

None of these issues are new. This is unlikely to become as big a problem as phishing. Beware of scare-mongers looking for cheap publicity.

So this isn’t as big a problem as some people believe. Let’s examine the reasons in more detail, and provide some actionable recommendations for organizations. While I’m at it, I’ll also take the lazier banks to task for not doing more to protect their customers from phishing and pharming attacks.

The fundamental reason that this isn’t as big a problem as some believe is that it’s not a new problem. In other words, we’re not starting from ground zero. It’s not like the phishing problem, in that respect.

Here’s why we needn’t worry too much about each of the three redirection methods above:

There were two high-profile DNS hijacking cases recently: suffered by Panix and eBay Germany. Neither of these cases would have happened if the correct, standard procedures had been followed by the respective domain registrars. The very fact that they did happen will cause domain registrars the world over to more carefully follow existing procedures.

DNS poisoning relies on hackers finding security holes in the DNS infrastructure. Such potential security problems are rare, and tend to be quickly fixed. The weakest point is likely to be local DNS caches in firewall products. Organizations using such features should ensure that they have processes in-place to ensure that they are always up to date with security patches.

Most organizations and individual consumers now recognize the need for anti-virus scanning. Increasingly, they are also recognizing the need for anti-spyware scanning. Such scanners mitigate the malware risk. Organizations without a strategy to filter all types of malware (not just classic viruses) should develop and implement one.

Finally, and perhaps most importantly, we should critically examine the security of the banks and other websites that pharming and phishing seek to attack. For example, a surprisingly large number of banks still rely on a simple username/password combination; many of them claim that users will not accept the additional burden of stronger authentication methods. This is a lazy and complacent attitude. (I recently wrote a report for Ferris Research, Phishing: What To Tell End-Users, which included several other recommendations for banks and other websites, to help them phoil phishers.)

While malicious redirection is a significant potential issue for internet users, recent PR-led activities risk blowing the severity out of proportion.