"Phishing" On The "Pharm": How Thieves Combine Two Techniques To

Author: John Young

Article:
Bob squinted at the email and began to read:

"Dear eBay User, as part of our security measures, eBay Inc. has
developed a security program against fraudulent attempts and
account thefts. Therefore, our system requires further account
verification..."

Security Measures. A threat to suspend his account to prevent
"fraudulent activity". The email went on to say that there were
"procedural safeguards with federal regulations to protect the
information you provide for us."

Bob clicked the link and was confronted with an authentic
looking logon page, just waiting for him to input his user name
and password and confirm what ebay supposedly didn't know.

He almost did it. The page looked absolutely authentic, and he
had already been "set up" by the email message. His fingers were
poised over the keyboard when he happened to glance at the URL.

There was something very, very wrong with it.

"PHARMING" TO FLEECE SHEEP

The art of "pharming" involves setting up an illegitimate
website that is identical with its legitimate prototype, for
example the ebay page Bob was almost suckered into using, and
redirecting traffic to it.

"Pharmers" can do it in two ways:

1.By altering the "Hosts" file on your computer. The Hosts file
stores the IP address of websites you have been accessing. By
inserting a new IP address into the database field corresponding
to a website, your own computer can be redirected to the
pharmer's website. Any information you give the bogus site is
immediately hijacked by the pharmer.

2.Hijacking the DNS (Dynamic Name Server) itself. A DNS matches
the names of address with their IP addresses. If this server can
be coerced into assigning new IP addresses to traditional names,
all computers using the name resolution provided by the DNS
server will be redirected to the hijacker's web site.

Once that happens, it's time to be fleeced.

DOWN ON THE PHARM

"Pharmers" hijack your "hosts" file or DNS servers using
Spyware, Adware, Viruses or Trojans. One of the most dangerous
things you can do is to run your computer without some form of
Internet Security installed on it.

Your security software should be continually updating its virus
definitions, and be capable of warning you if something has been
downloaded from a web site or through email. It should be able
to remove it, "quarantine it", or tell you where it is so that
you can remove it by hand.

You should also have Spyware and Adware programs installed, and
be aware of any change in Internet browsing patterns. If your
home page suddenly changes, or you experience advertising pop
ups (which may pop up even when you are not hooked up to the
Internet), you should run a Virus, Spyware or Adware scan.

Thanks to the efficacy of these protection programs, pharming is
a lot more difficult than it used to be. It isn't as easy to
hijack a computer as it once was.

So, the "pharmers" have teamed up with the "phishermen" to get
you to visit the bogus web page yourself, and enter all the
information they need.

PHISHING TO CATCH YOU ON THE PHARM

As Bob discovered, the page he had been taken to by the bogus
email message was identical to the ebay logon page. Identical in
every way except for the URL.

Out of curiosity, he checked the URL for the ebay logon by
accessing ebay directly and clicking on the logon link. The two
URL's were nothing alike, except the bogus one did have the word
"ebay" in it twice - just enough to make it look authentic.

By combining the two techniques, the phishermen/pharmers had
avoided the high tech problems associated with downloading a
Virus that could get past his protection software. They had gone
straight for the throat.

Bob's throat.

YOUR ONLY REAL IDENTITY THEFT PREVENTION AND PROTECTION

The only real protection against the pharmers and phishermen is
YOU. There are three things you must consider when you read any
email demanding information:

* Why do they want it? Be extremely skeptical when they say they
have to "update their records", "comply with federal
regulations", or prevent fraud. They are the ones initiating the
fraud.

* Why can't this be done at the website? Why not invite you to
access the website directly and provide this information? The
answer is because the bonafide company doesn't need an update.

* What does the URL look like? Is it a series of subdomains some
of which have the name of the bonafide company? Most likely the
subdomain is set up with a free hosting company.

* Have they provided partial information about you as a
guarantee that the email authentically comes from the legitimate
source? Be very careful of this one. This technique is effective
for "pretexting", impersonating a person or company, and was
used in the Hewlett Packard scandal to collect information. Just
because they know your first and last name (and any other
information - known only to the legitimate source) doesn't mean
the email is legitimate. They probably hijacked the information
off the server.

THE BOTTOM LINE

The bottom line is: don't provide any information at the behest
of an email, no matter how authentic it looks, or how authentic
the page it directs you to looks. If you must log in, do so at
the parent site itself.

Your Identity Theft prevention and protection is, in the final
analysis, up to you.

Don't be the next sheep fleeced by the pharmers who caught you
with the phisherman's hook. Being dropped naked into their
frying pan is NOT a fate you want.

About the author:
John Young is a writer with a scientific and technical
background living in California. At the age of 62, he is the
father of four, grandfather of 13, and lives with his wife and
cat "Bear". Please check out his latest book on Identity Theft
http://www.youridentitystolen.com For some suggestions on Fire
Walls, Virus, Spyware and Adware protection software visit his
"California Software Shop" at http://www.pcreveal.com