Protecting Your Users from Pharming

This post is the fourth and last in a series on how to protect users from common online security threats.Let’s assume for a minute that you need to send a confidential and important letter to someone. You’re extremely careful, of course, to ensure that the address is correctly written on the back of the envelope. You drop the envelope into the post box, and it is picked up by the postal service where workers dutifully and accurately interpret the address and use a map to find the recipient’s address before delivering your letter. Wonderful! Just as you’re about to celebrate, you’re told that the streets on the map that the post office used were labelled incorrectly. How confident are you that your correctly addressed envelope was delivered to the intended recipient? You may have just been ‘pharmed.’Pharming (pronounced ‘farming’) involves changing the underlying mapping of a website’s URL to direct traffic to an alternate web address. Depending on the nature of the content being viewed, victims of pharming attacks can be fooled into giving away confidential information in the belief that they are at the correct address. What’s particularly bad about pharming is that users can correctly enter a URL into a browser and still end up at the wrong website.To understand how pharming works, one needs to understand the postal system of the Internet - the Domain Name System (DNS). Every website on the Internet has at least one IP address associated with it. This is a numerical representation (e.g., 208.83.104.180) of the address for the website. Since it’s difficult to remember numbers like this, we use nicknames for websites (e.g., www.egnyte.com). When you enter a website’s nickname into your browser, it tries to get the underlying address behind the nickname from the following sources (in the order specified):

1. A local file on your system (called a ‘hosts file’).
2. DNS servers in your local network (companies can use these to prevent access to predefined web addresses).
3. Public DNS servers.

Think of DNS servers like maps that tell you exactly where the nickname you entered in your browser should take you. Pharming involves compromising any of these maps to send users to the wrong destination. For example, if you want to log in to your online banking account and you enter the address correctly, you might be taken to a site that looks very similar to your bank’s website. Your browser will even tell you that you’re at the correct address (www.yourcompletelysafebank.com), but you are actually at a website which an attacker has set up (correct nickname, wrong IP address). You then enter your username and password to log in and give away your credentials. By the time you realize something is amiss, your attacker already has your information. In 2004, a German teen was able to hijack his country’s eBay domain name, leaving thousands of users redirected to a bogus website.Preventing pharming attacks involves teaching users to be mindful of the format of URLs they use and setting up extra verification steps, in addition to a username and password, when logging in to any service on the Web. By checking that any secure page is using a URL beginning with ‘https,’ users can have further assurance that they are at the correct website. Connections through the https protocol are secure and involve using a special certificate and ‘handshake’ method to ensure that your machine is speaking to the correct server. Compromising this secret handshake is almost impossible for an attacker, and modern browsers verify that the handshake has correctly occurred. If a pharming attack has already taken place, using two factor authentication (e.g., with a phone call or SMS code) can render any credentials that are acquired by attackers useless, since they are unlikely to be able to supply the additional information to pass the second method of identity verification (unless they also have your mobile device).Egnyte has partnered with Duo Security to offer a robust Two-Step Login Verification system, which IT admins can use to enforce identity verification and mitigate the effects of pharming. Egnyte’s network also uses secure TLS encryption for all https connections to allow modern browsers to verify that users are at the correct location when browsing a website.