A pharming attack occurs when the victim is fooled into entering sensitive
data into supposedly trusted locations, such as an online bank site or a
trading platform. An attacker can impersonate these supposedly trusted sites
and have the victim be directed to his site rather than the originally
intended one.
Pharming does not require script injection or clicking on malicious links
for the attack to succeed.
Attack Execution Flow
Attacker sets up a system mocking the one trusted
by the users. This is usually a website that
requires or handles sensitive information.
The attacker then poisons the resolver for the
targeted site. This is achieved by poisoning the DNS
server, or the local hosts file, that directs the
user to the original website
When the victim requests the URL for the site, the
poisoned records direct the victim to the attacker's
system rather than the original one.
Because of the identical nature of the original
site and the attacker controlled one, and the fact
that the URL is still the original one, the victim
trusts the website reached and the attacker can now
"farm" sensitive information such as credentials or
account numbers.
Attack Prerequisites
Vulnerable DNS software or improperly protected hosts file or router that
can be poisoned
A website that handles sensitive information but does not use a secure
connection and a certificate that is valid is also prone to pharming
Typical Likelihood of Exploit
Likelihood: High
Methods of Attack
Spoofing
Analysis
Modification of Resources
Examples-Instances
Description
An online bank website requires users to provide their customer ID and
password to log on, but does not use a secure connection.
An attacker can setup a similar fake site and leverage pharming to
collect this information from unknowing victims.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Medium
The attacker needs to be able to poison the resolver - DNS entries or
local hosts file or router entry pointing to a trusted DNS server - in
order to successfully carry out a pharming attack. Setting up a fake
website, identical to the targeted one, does not require special
skills.
Resources Required
Except having enough knowledge of the way the targeted site has been
structured in order to create a fake version, no additional resources are
required. Poisoning the resolver requires knowledge of a vulnerability that can
be exploited.
Probing Techniques
The attacker observes the targeted website for use of secure connection to
exchange sensitive information. If it does not use secure connections,
victim users cannot distinguish between the original and fake versions of
the website.
The attacker can also fingerprint the software running on the targeted
system (DNS server, router or host) and look for vulnerabilities in order to
poison the entries.
Solutions and Mitigations
All sensitive infomation must be handled over a secure connection.
Known vulnerabilities in DNS or router software or in operating systems
must be patched as soon as a fix has been released and tested.
End users must ensure that they provide sensitive information only to
websites that they trust, over a secure connection with a valid certificate
issued by a well-known certificate authority.
Dnsmasq before 2.21 allows remote attackers to poison the DNS cache
via answers to queries that were not made by Dnsmasq.
CVE-2004-1754
The DNS proxy (DNSd) for multiple Symantec Gateway Security products
allows remote attackers to poison the DNS cache via a malicious DNS
server query response that contains authoritative or additional
records.
Vision and Technical Leadership provided by Cigital, Inc.
This Web site is hosted by The MITRE Corporation.
Copyright 2009, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation.
Description
