FIL-64-2005, released on July 18, 2005, discusses how “pharming” occurs and recommends strategies that financial institutions may employ to protect their Internet domain names from a successful pharming attack. “Pharming” is the term used to describe the process of redirecting Internet domain name requests to false Web sites for the purpose of collecting personal information that may later be used to commit fraud and identity theft. A tangible example would be when an Internet bank customer that routinely logs in to an online banking Web site, may be redirected to an illegitimate Web rather than accessing the bank's Web site.
Pharming is similar to “phishing” in that both practices attempt to entice a person to enter personal information on a fraudulent Web site, but the difference is how a person is directed to the fraudulent site. A phishingscam (the term used to describe electronic fishing for confidential information), usually refers to fraudulently obtaining and using a person’s personal or financial information. An example might be when a person receives an e-mail that appears to be from financial institution, government agency or other entity that requests personal or financial information. Such e-mail may, through some enticement, request that the person provide immediate attention to a situation, perhaps describing a situation of data compromising or request resulting from an institution’s “audit” and asking the person to click on a link, which may appear to be the Web site of the financial institution, government agency or other entity. In phishing scams, the link is a phony Web site. Once a person accesses the phone Web site, he or she may be asked to provide a Social Security number, account numbers, passwords or other information used to identify the person (e.g., the maiden name of the person’s mother or place of birth). When the person fills out the information, fraudsters may attempt to either access the person’s accounts or assume the person's identity.
Pharming may take place by four different methods:
The FDIC notes that there are 13 root DNS servers for the entire Internet which are closely protected and controlled. Most requests are directed by a local DNS server before reaching a root DNS server, however if a hacker were to penetrate one or more of these 13 root servers, the Internet could be severely compromised.
The guidance states that both consumers and businesses can take several steps to detect and prevent pharming attacks, such as:
Digital certificates– legitimate Web servers can differentiate themselves from illegitimate sites by using digital certificates and Web sites using certificate authentication are more difficult to spoof. Consumers can use the certificate as a tool to determine whether a site is trustworthy.
Domain name management– financial institutions should diligently manage domain names, ensuring that domain names are timely renewed and by investigating the possibility of registering similar domain names. Also, many registrars offer domain locks to prevent unauthorized domain slamming. Additional information on this subject may be obtained from the FDIC’s FIL-77-2000, a Guidance that includes a Bank Technology Bulletin to inform banks of risks relating to poor domain name management and recommending “best practices.”
DNS poisoning– financial institutions should investigate any Web site anomalies to ensure that DNS poisoning attacks are addressed promptly (e.g., if Anybank’s domain was hijacked, it would immediately stop receiving normal Internet-related requests). A drop in Internet traffic should alert technology staff to a potential problem that should be investigated.
Consumer education –financial institutions should recommend to their Internet banking customers, that they install current versions of virus detection software, firewalls and spyware scanning tools to reduce computer infections, as well as stress the importance of regularly updating software against new threats. Institution should educate consumers about how to know when they are connected to a trusted site rather than a spoofed site.
Domain names held by financial institutions are critical and valuable property to be protected, for both institutions and their Internet customers may be vulnerable to data and financial loss should such domain names be misused or otherwise redirected. Domain names must be monitored and protected and should be regularly reviewed and updated as a part of an institution's information security program.
The Guidance is found at: http://www.fdic.gov/news/news/financial/2005/fil6405a.html.