Crooks Move from Phishing to Pharming Financial Data

March 2, 2005
New scams redirect consumers trying to login to their online accounts

As if phishing scams weren't bad enough, security experts have found a new "phlavor" of the month: "Pharming."

What is pharming? It operates on the same principle as phishing by fooling on-line users into thinking they're at a legitimate banking site when, in fact, they are not. But unlike phishing, which a savvy on-line user can avoid by not answering suspect e-mails, pharming is almost undetectable. It relies on trojan viruses that alter the behavior of Internet browsers so that attempts to log onto a banking site actually trigger the browser to automatically redirect the user to a spoof site. "In these cases, one doesn't even have to click on an e-mail link," says Rebecca Whitener, director of privacy services for EDS. "[It's] Pretty scary stuff."

Worst of all, once a machine is infected, someone who has typed the correct URL into the browser can still end up at the spoof site, unaware that the user name, password and account information has been harvested for identity theft or other nefarious purpose. "We're fairly concerned about pharming," says Kim Legelis, director of financial services industry solutions at on-line security firm Symantec. "This is not a flash-in-the-pan threat. Pharming is probably where phishing was 12 months ago." Notes MX Logic's chief technical officer Scott Chasin, who is widely credited with coining the "pharming" term: "Pharming is a next-generation phishing attack without the lure."

The question, of course, is: What can banks and banking customers do about pharming? "There needs to be a lot of education done by the financial institutions related to these crimes," says Chasin. "Before this becomes a massive epidemic, the industry needs to act pretty quickly." For banks, it may be a matter of survival. "All of this has institutions absolutely terrified," says Joel Heinrichs, CEO of on-line security firm Lightspeed Systems, which was one of the first firms to react to pharming scams with new software protections. "It's like a battle with these guys. This is big-time fraud."

While security companies are famous for publicizing threats to keep businesses buying software, pharming is quite threatening. Several pharming schemes have already proliferated throughout the Internet with frightening precision. Late last year, Security firm LURHQ's Threat Intelligence Group publicized one such trojan that targeted users of the e-gold.com system, which allows account holders to trade electronic currency backed by gold bullion. The "Win32.grams" trojan infiltrated machines and tried to transfer currency out of victims' accounts. "That process could easily be applied at mainstream financial institutions," warns Elazar Katz, director of Unisys' active risk-management practice.

Although Win32.grams contained a bug that prevented it from working properly, Katz and other experts say it's only a matter of time before such trojans become bug-free. In the current world, on-line criminals still often manually perpetuate fraud, creating a backlog that helps keep them from exploiting information they collect automatically with software. Automating the fraud process, however, could spell disaster. "That bottleneck will be addressed next," Katz says.

Other recent threats are equally menacing. The "Troj/BankAsh-A" trojan, which spies on a user's Internet activity until it reaches an on-line banking site, displays a fake log-in page and records keystrokes, later sending the stolen details to a remote FTP site. It also disables Microsoft's new anti-spyware protection. Targeted banks include Barclays, Cahoot, Halifax, HSBC, Lloyds TSB, Nationwide, NatWest and the U.K. Internet bank, Smile.

And as early as last summer, the "download.ject" trojan was capturing keystrokes to steal log-in information, as well as creating fake dialog boxes that prompted the user to enter confidential ATM codes, credit card numbers and other financial data. "That's where you get into some scary stuff," says Christopher Faulkner, CEO of Web hosting firm CI Host. "When some idiot has transferred all of your money to Russia, you may get your money back, but it might take three weeks. Meanwhile, you have to figure out how to pay your mortgage."

Indeed, the question is whether such threats will at some point deter people from conducting business on-line. "Consumers are losing confidence in the Internet," laments Jon Ramsey, CTO at on-line security firm SecureWorks. "If the security risk outweighs the convenience of on-line banking, then people will revert to other means." So far, the banking industry hasn't seen any mass defections. "The more important thing is to practice the vigilance so that doesn't happen," warns Doug Johnson, senior policy analyst at the American Bankers Association. He says the industry tries to strike a balance between convenience and security, even as online fraud threats proliferate. "We all see at the end of the rainbow this promise of electronic commerce," he says. "But we don't want to have a customer confidence issue."

Experts note that banks can take steps to put their customers (and themselves) more at ease. On the most basic level, banks are already educating customers about how to protect themselves from threats. "Educating our customers is the only thing we can do outside the bank to protect ourselves," says Mark Payne, director of technology at Scottsbluff, NB-based Platte Valley National Bank. "Our best defense is education."

Boston Private Bank & Trust, a subsidiary of the $2 billion Private Financial Holdings, recently hired two full-time staff members devoted to fraud detection and prevention, and formed a committee to coordinate consumer-education efforts. "We're trying to get the word out strongly that [consumers] need to watch their activity," says Maureen McCarthy, director of the bank's Financial Intelligence Unit. But she says the bank has shied away from providing anti-virus software or other computer advice to its customers. "I don't think any bank wants to be in the business of providing computer support to its clients," she says, noting liability issues that could arise.

Nonetheless, software vendors are urging banks to get more involved. "It's important for financial institutions to take a proactive step in getting their customers' PCs protected," says Legelis. Symantec works with several banks that allow customers to check their computers' protection level and even download a Symantec product at a discount-right through the on-line banking site. Users can also install browser plug-ins, such as the "Netcraft" plug-in for Internet Explorer or the "SpoofStick" plug-in for Mozilla's Firefox. Both can alert the user of spoof sites. "You have to attack this problem through the browser," says Andrew Stewart, security practice lead at Intellinet. "The client is the weakest link."

In addition, experts advise banks to adopt multi-factor authentication schemes, such as providing customers with a small device that displays a constantly changing password-to be used in conjunction with the another static password-or, on a smaller scale, simply providing a new password every month in bank statements. Biometric scanners are another option.

"Identity management is really the buzzword of 2005," says Robert Siciliano, a Boston-based personal security expert. "Two-tiered identification is really the way to go." Banks seem to be listening. "It's incredible," says Rami Habal, senior product manager at messaging security firm Proofpoint. "They're on it. [Bankers] understand what the issues are and what the threats are."