Crooks Move from Phishing to Pharming Financial Data

New scams redirect consumers trying to login to their online accounts

As if phishing scams weren't bad enough, security experts have found a new "phlavor" of the month: "Pharming."

What is pharming? It operates on the same principle as phishing by fooling on-line users into thinking they're at a legitimate banking site when, in fact, they are not. But unlike phishing, which a savvy on-line user can avoid by not answering suspect e-mails, pharming is almost undetectable. It relies on trojan viruses that alter the behavior of Internet browsers so that attempts to log onto a banking site actually trigger the browser to automatically redirect the user to a spoof site. "In these cases, one doesn't even have to click on an e-mail link," says Rebecca Whitener, director of privacy services for EDS. "[It's] Pretty scary stuff."

Worst of all, once a machine is infected, someone who has typed the correct URL into the browser can still end up at the spoof site, unaware that the user name, password and account information has been harvested for identity theft or other nefarious purpose. "We're fairly concerned about pharming," says Kim Legelis, director of financial services industry solutions at on-line security firm Symantec. "This is not a flash-in-the-pan threat. Pharming is probably where phishing was 12 months ago." Notes MX Logic's chief technical officer Scott Chasin, who is widely credited with coining the "pharming" term: "Pharming is a next-generation phishing attack without the lure."

The question, of course, is: What can banks and banking customers do about pharming? "There needs to be a lot of education done by the financial institutions related to these crimes," says Chasin. "Before this becomes a massive epidemic, the industry needs to act pretty quickly." For banks, it may be a matter of survival. "All of this has institutions absolutely terrified," says Joel Heinrichs, CEO of on-line security firm Lightspeed Systems, which was one of the first firms to react to pharming scams with new software protections. "It's like a battle with these guys. This is big-time fraud."

While security companies are famous for publicizing threats to keep businesses buying software, pharming is quite threatening. Several pharming schemes have already proliferated throughout the Internet with frightening precision. Late last year, Security firm LURHQ's Threat Intelligence Group publicized one such trojan that targeted users of the system, which allows account holders to trade electronic currency backed by gold bullion. The "Win32.grams" trojan infiltrated machines and tried to transfer currency out of victims' accounts. "That process could easily be applied at mainstream financial institutions," warns Elazar Katz, director of Unisys' active risk-management practice.

Although Win32.grams contained a bug that prevented it from working properly, Katz and other experts say it's only a matter of time before such trojans become bug-free. In the current world, on-line criminals still often manually perpetuate fraud, creating a backlog that helps keep them from exploiting information they collect automatically with software. Automating the fraud process, however, could spell disaster. "That bottleneck will be addressed next," Katz says.

Other recent threats are equally menacing. The "Troj/BankAsh-A" trojan, which spies on a user's Internet activity until it reaches an on-line banking site, displays a fake log-in page and records keystrokes, later sending the stolen details to a remote FTP site. It also disables Microsoft's new anti-spyware protection. Targeted banks include Barclays, Cahoot, Halifax, HSBC, Lloyds TSB, Nationwide, NatWest and the U.K. Internet bank, Smile.

And as early as last summer, the "download.ject" trojan was capturing keystrokes to steal log-in information, as well as creating fake dialog boxes that prompted the user to enter confidential ATM codes, credit card numbers and other financial data. "That's where you get into some scary stuff," says Christopher Faulkner, CEO of Web hosting firm CI Host. "When some idiot has transferred all of your money to Russia, you may get your money back, but it might take three weeks. Meanwhile, you have to figure out how to pay your mortgage."

This content continues onto the next page...