Threat Level: green Handler on Duty: Deborah Hale

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-03-05 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Pharming and Phishing Attack; Mailbag

Published: 2005-03-05
Last Updated: 2005-03-06 01:36:58 UTC
by Koon Yaw Tan (Version: 1)
0 comment(s)

Pharming and Phishing Attack


, we reported a case of DNS cache poisoning attack. Thanks to all those who have responded and provided us the information. Most of the affected sites should be cleaned up by now. If you continue to detect any suspicious sites, do drop us a note.



This reminds me of the pharming attack which is DNS cache poisoning or spoofing. Most of us, if not all, should be familiar with phishing attack. It has now been fairly recognizable as it attempts to trick you to click on an email link and directs you to a malicious site to get you to disclose your personal information. In fact, the new vector of phishing attack does not even require you to enter your personal information. It usually makes use of concealed malicious code on the spoofed websites to gather information about you without your knowledge.



Pharming attack on the other hand does not require you to click on an email link. You could enter the legitimate URL of the site but when the URL is resolved to the IP address, you will be directed to a bogus website. If the bogus website mirrors the exact page as the legitimate website, you may not even be aware of the attack.



The case of yesterday reported just happened to be resolved to another different site that the attack is being discovered.



If combining phishing and pharming techniques, you could be tricked to visit a spoofed website with legitimate URL and hand over your personal information unknowingly.



One possible way to counter such attack is to provide certificate for authentication. For critical website, it will be good to implement extra measure to authenticate the identity of the website.

Mailbag


One of our reader (David) notified us that one small website was defaced with the index file replaced with a simple text "Simiens - Legalize Ja Legalize Ja nossa erva". A google search shows that there are several sites (177 sites) being defaced with the same text as well. At this point of time, the cause of attack is not known. Could it even be an automated attack? If you have any information on this, let us know.



Thanks to our readers (Dominick, Jesse, Altieres, Jaakko) who pointed out the Simiens group which seems to be pretty busy these few days as seen in
and mirror sites.
Keywords:
0 comment(s)
Diary Archives