Continue Reading This Article
Enjoy this article as well as all of our content, including E-Guides, news, tips and more.
While they are related, pharming attacks are indeed different. Pharming is when an attacker tricks a DNS server into caching a bogus entry for a domain name for an e-commerce site. Then when a user types the domain name for that site into a browser, the DNS server provides a cached record of an evil site. The user is "pharmed" via DNS cache poisoning.
Unlike phishing attacks, email is usually not involved in pharming attacks because the attackers use real domain names, not disguised or obfuscated URLs. They poison the DNS server and force it to direct those genuine domain names to attacker controlled IP addresses.
From February 2005 to August 2005, we saw a large number of pharming attacks, due to common misconfigurations of DNS servers that made them accept the poison. While we still see a trickle of pharming attacks today, most DNS servers have improved their poisoning defenses, thereby lowering the incident of attacks. Don't be fooled, though, they are still out there and we need to be diligent. If you run a Windows-based DNS server, make sure you have selected the "Secure Cache Against Pollution" option in the configuration GUI (the default for recent versions of Windows DNS server). Also, never use Windows DNS servers configured to forward requests through BIND 4 or 8. Windows DNS servers acting as forwarders should always go through BIND 9, which can cleanse potentially poisoned records.
This was first published in July 2006