“Phishing” on the “Pharm”: How Thieves Combine Two Techniques to Steal Your Identity
|2.5/5.0 (2 votes total)|
October 09, 2006
|John Young is a writer with a scientific and technical background
living in California. At the age of 62, he is the father of four,
grandfather of 13, and lives with his wife and cat “Bear”. Please check
out his latest book on Identity Theft.
For some suggestions on Fire Walls, Virus, Spyware and Adware
protection software visit his California Software Shop.
has written 1 articles for DomainInformer.
|View all articles by John Young...
Bob squinted at the email and began to read:
“Dear eBay User, as part of our security measures, eBay Inc. has
developed a security program against fraudulent attempts and account
thefts. Therefore, our system requires further account verification…”
Security Measures. A threat to suspend his account to prevent
“fraudulent activity”. The email went on to say that there were
“procedural safeguards with federal regulations to protect the
information you provide for us.”
Bob clicked the link and was confronted with an authentic looking
logon page, just waiting for him to input his user name and password
and confirm what ebay supposedly didn't know.
He almost did it. The page looked absolutely authentic, and he had
already been “set up” by the email message. His fingers were poised
over the keyboard when he happened to glance at the URL.
There was something very, very wrong with it.
“Pharming” to Fleece Sheep
The art of “pharming” involves setting up an illegitimate website
that is identical with its legitimate prototype, for example the ebay
page Bob was almost suckered into using, and redirecting traffic to it.
“Pharmers” can do it in two ways:
1. By altering the “Hosts” file on your computer. The Hosts file
stores the IP address of websites you have been accessing. By inserting
a new IP address into the database field corresponding to a website,
your own computer can be redirected to the pharmer's website. Any
information you give the bogus site is immediately hijacked by the
2. Hijacking the DNS (Dynamic Name Server) itself. A DNS matches the
names of address with their IP addresses. If this server can be coerced
into assigning new IP addresses to traditional names, all computers
using the name resolution provided by the DNS server will be redirected
to the hijacker's web site.
Once that happens, it's time to be fleeced.
down on the pharm
“Pharmers” hijack your “hosts” file or DNS servers using Spyware,
Adware, Viruses or Trojans. One of the most dangerous things you can do
is to run your computer without some form of Internet Security
installed on it.
Your security software should be continually updating its virus
definitions, and be capable of warning you if something has been
downloaded from a web site or through email. It should be able to
remove it, “quarantine it”, or tell you where it is so that you can
remove it by hand.
You should also have Spyware and Adware programs installed, and be
aware of any change in Internet browsing patterns. If your home page
suddenly changes, or you experience advertising pop ups (which may pop
up even when you are not hooked up to the Internet), you should run a
Virus, Spyware or Adware scan.
Thanks to the efficacy of these protection programs, pharming is a
lot more difficult than it used to be. It isn't as easy to hijack a
computer as it once was.
So, the “pharmers” have teamed up with the “phishermen” to get you
to visit the bogus web page yourself, and enter all the information
PHISHING TO catch YOU on THE PHARM
As Bob discovered, the page he had been taken to by the bogus email
message was identical to the ebay logon page. Identical in every way
except for the URL.
Out of curiosity, he checked the URL for the ebay logon by accessing
ebay directly and clicking on the logon link. The two URL's were
nothing alike, except the bogus one did have the word “ebay” in it
twice - just enough to make it look authentic.
By combining the two techniques, the phishermen/pharmers had avoided
the high tech problems associated with downloading a Virus that could
get past his protection software. They had gone straight for the
your ONLY REAL IDENTITY THEFT PREVENTION AND protection
The bottom line is that the only real protection against the
pharmers and phishermen is YOU. There are three things you must
consider when you read any email demanding information:
· Why do they want it? Be extremely skeptical when they say they
have to “update their records”, “comply with federal regulations”, or
prevent fraud. They are the ones initiating the fraud.
· Why can't this be done at the website? Why not invite you to
access the website directly and provide this information? The answer is
because the bonafide company doesn't need an update.
· What does the URL look like? Is it a series of subdomains some of
which have the name of the bonafide company? Most likely the subdomain
is set up with a free hosting company.
· Have they provided partial information about you as a guarantee
that the email authentically comes from the legitimate source? Be very
careful of this one. This technique is effective for “pretexting”,
impersonating a person or company, and was used in the Hewlett Packard
scandal to collect information. Just because they know your first and
last name (and any other information - known only to the legitimate
source) doesn't mean the email is legitimate. They probably hijacked
the information off the server.
the bottom line
The bottom line is: don't provide any information at the behest of
an email, no matter how authentic it looks, or how authentic the page
it directs you to looks. If you must log in, do so at the parent site
Your Identity Theft prevention and protection is, in the final analysis, up to you.
Don't be the next sheep fleeced by the pharmers who caught you with
the phisherman's hook. Being dropped naked into their frying pan is NOT
a fate you want.