The poor man’s pharm

DNS poisoning requires elite hacking skills, which is why most analysts believe it falls short of a large-scale threat. But before you get too complacent, take notice of the poor man’s pharm, a less sophisticated and far less costly way to hijack Web page requests and forward unsuspecting users to counterfeit sites.

Instead of harvesting requests from a DNS server, the “retail” version of pharming is a desktop affair in which a user unwittingly downloads spyware, a Trojan horse, or a virus. This malware simply intercepts Web site requests and shunts the user to a bogus Web site. The rest is the now too familiar game of capturing your personal information and then redirecting you to the authentic site. Some say such low-rent pharming accounts for the vast majority of incidents.

“The bad guys are always trying to stay low enough in the food chain to escape notice but high enough to make money,” explains Sam Curry, vice president of eTrust security management at Computer Associates. You can’t get much lower than the desktop, but a rich score of user log-ins and passwords make the rewards high enough.

The simplest and best way to protect against the poor man’s pharm is to ditch Microsoft IE, according to Dan Golding, an analyst at Burton Group. “IE is hugely susceptible to spyware,” Golding says. “Use Firefox or another alternate browser.” Golding also says you can protect against low-rent pharming by simply employing the commonsense measures of running anti-spyware and anti-virus software frequently. In addition, Curry says, every PC should have a personal firewall.

Another technique, somewhere between DNS poisoning and desktop hijacking, involves search engines. This scam takes advantage of the fact that users forget URLs — for a bank Web site, for example. The user then Googles it, gets a page of results, and clicks the first one that looks right. But in fact it’s a bogus site.

“If you can tag your site so it shows at the top of a search query result page, you can be in the pharming business,” says Jim Stickley, CTO and co-founder of TraceSecurity. “This is what legitimate businesses do all the time — namely, optimize their sites for various search engines.”

Ken Silva, CSO of VeriSign, says one of the best ways to defend against this and all other pharms is to educate users.

Some analysts, however, say enterprises have not done their job on this score. “Financial institutions are still primarily looking to vendors like Symantec for protection,” says Sophie Louvel, an analyst at IDC. For example, Golding says, one large national bank all but ignored a major phishing scam last year.