A few weeks ago, I wrote about a new trend among identity thieves called pharming
, where whole domains are hijacked, and users unwillingly find themselves on familiar-looking yet fraudulent Web sites. Pharming
exploits a weakness in how the current Internet is structured, namely the Domain Name System (DNS), which translates easy-to-remember URLs into the IP addresses that networks use to route data packets across the Internet. Since that column, I've been thinking about other ways to accomplish a similar feat. For example, rather than poison or change the data on a remote DNS server, why not use a common file on your computer to redirect your desktop computer somewhere else instead?
Internet Connection 101
Almost all Internet-connected computers--Windows, Mac, Linux, even Unix--use a hosts file (Note: This type of file has no extension).
Virus writers know that hosts files can block Internet address requests, especially requests to view antivirus and security vendor Web sites.
Whenever you access a site on the Internet, instead of typing its IP address of, say, 220.127.116.11, you simply type www.cnet.com. Your computer must first learn the IP address of the server hosting the CNET site before it can connect, and it does so by asking a DNS server. As mentioned in my pharming column, identity thieves have been known to compromise DNS entries so that anyone trying to find www.yourbank.com instead gets a very good replica located on a fraudulent Web site--all the while the URL displayed on your address bar in your browser looks just fine to you.
But the TCP/IP protocol also allows for a hosts file to trump any DNS address query. Using Notepad or any text editor, you can view your own computer's hosts file contents. On a Windows machine, the hosts file is generally located within the Windows folder; on Windows NT, 2000, and XP, it's within a subfolder with your Windows drivers. A fresh hosts file should look something like this (and for the record, I don't recommend altering your hosts file):
# Copyright (c) 1998 Microsoft Corp.
# This is a sample HOSTS file used by Microsoft TCP/IP stack for Windows98
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
# For example:
# 18.104.22.168 rhino.acme.com # source server
# 22.214.171.124 x.acme.com # x client host
Virus writers know about hosts files
Unfortunately, virus writers know that hosts files can block Internet address requests, especially requests to view antivirus and security vendor Web sites. The recent Mytob virus is one that attacks the hosts file on Windows systems. Virus writers do this by associating the local host address of 127.0.0.1 next to the antivirus company's URL in the hosts file. 127.0.0.1 is a special loopback address for the machine you are currently using, which means that your request to go out onto the Internet to a Web site simply loops right back to your computer. Should you find yourself unable to reach an antivirus software company to obtain the latest antivirus signature file to contain or remove a virus, you might want to check your hosts file. In this one exception to the rule to not change your hosts file, I recommend first using a text editor to save the existing hosts file to something distinct, such as HostsOld, then delete all the blocked antivirus or security vendor associations (or mark them with #'s to comment them out) and save the edited file as hosts (with no extension).
You might be thinking, hey, can I also use my hosts file to block spyware and adware? You can, but I don't recommend it. Not manually. First, the list will be hard for you to maintain. Instead, I recommend downloading a free antispyware app, such as Microsoft Antispyware (beta), Spybot, or Ad-aware. Second, long lists within your hosts file often slow your computer's access to the Internet.
Scam artists also know about hosts files
You might also be thinking, OK, if a hosts file can exclude, it can also redirect, right? Yes, it can. Say you have a favorite site called BrandX.com, and it has an archrival site called BrandY.com. BrandX.com lives at 123.456.00.00 while BrandY.com lives at 126.96.36.199. If someone were to alter your hosts file so that every time you typed BrandX.com on your browser it would return BrandY.com's site instead, you'd be steamed, I'm sure. That alteration in your hosts file would look like this:
If someone were to alter your hosts file so that every time you typed BrandX.com on your browser it would return BrandY.com's site instead, you be steamed, I'm sure.
Unfortunately for you and me, scam artists are lazy. Rather than changing BankOne's DNS registration (which involves some social engineering and work), an identity thief or so-called pharmer could simply alter your hosts file instead. This would be a slow process, and updating individual computers would produce rather little profit. However, if a virus writer fell under the employ of a pharmer (or a spam merchant) and could somehow infect thousands, if not millions, of computers with a compromised hosts file, the rewards would be even greater.
Is this happening right now? Yes and no. In countries such as Brazil, malicious Trojan horses are redirecting users away from local banks and toward criminal sites, but this has yet to happen in the United States. And while a large-scale version of this attack (say, targeting many financial sites at once) hasn't happened, there's little reason to think it won't.
Any good antivirus product that's kept up-to-date should keep your system safe. Better yet, try a good security suite, and you'll have all of your antivirus, firewall, and antispyware bases covered.
Will pharming and phishing attacks succeed in undermining your confidence in online financial services? Why or why not? Talk back to me.