CONSUMER ALERT

MIKE COX

ATTORNEY GENERAL

The Attorney General provides Consumer Alerts to inform the public of unfair, misleading, or deceptive business practices, and to provide information and guidance on other issues of concern.

PHARMING - yet another tool used by identity thieves

WHAT IS PHARMING?

"Pharming" and "phishing" are a pair of favorite Internet devices used by criminals to cheat consumers out of their valuable personal information.  Pharming is an attack in which a computer user is fooled into entering sensitive data - such as a password or credit card number - into a malicious Web site that impersonates a legitimate commercial site.  Phishing attacks begin with e-mail messages designed to induce consumers to click on bogus Web site links that are contained in the message.  Financial service institutions are the most popular target for both scams.

Pharming is sneakier than phishing in that the crook does not have to rely on the victim clicking a link in an e-mail.  In a pharming attack, the user correctly enters a word address /domain name into a browser's address bar, but instead of visiting a legitimate Web site, the user is redirected by the crook to a Web page that merely looks like it might be legitimate.  In reality, the unsuspecting victim has landed at a malicious Web site whose only goal is to steal consumers' personal information.  So, when the users enter their login names and passwords, the information is captured by criminals and used to commit identity theft and related frauds.

HOW DOES THE CROOK REDIRECT INTERNET TRAFFIC?

The scam relies on the fact that word addresses used by computers are translated into distinct numerical addresses.  The Internet uses a series of domain name servers that translate the familiar word address you type into a specific numerical Internet address that you never see.  Thus the word address/domain name may be www.example.com, while the Internet name may be "123.0.4.567."  The Internet name or address (technically called IP address) consists of four numbers, each between 0 and 255, which are separated by . (dots).

For example, if you type www.michigan.gov, the request goes to a domain name system (DNS) server, which then locates the registered Internet address for the Web server at the State of Michigan Web site.  While typing www.michigan.gov is much more convenient than remembering a numeric code, the translation from words to numbers is a vulnerable link in the Internet's infrastructure, as savvy criminal hackers can change the domain name system record or even take down the DNS system all together.  This technique is often referred to as DNS poisoning.

E-MAILED VIRUSES RESPONSIBLE FOR SMALLER-SCALE PHARMING

E-mailed viruses that rewrite local host files on individual personal computers have been used to conduct smaller-scale pharming attacks.  Before your computer contacts your Internet Service Provider's domain name server, it checks a local host file to determine the accurate numerical address.  A computer with a compromised host file will direct a user to the wrong Web site, even when the correct word address/domain name is entered.

HOW TO COMBAT PHARMING

A Web site designed to combat pharming attacks will use a secure connection to prevent impersonations. The site typically uses the HTTPS Web protocol on their login page to allow the user to verify the Web site's identity.  If an attacker attempts to impersonate this type of Web site, the user will receive a message from the browser indicating that the Web site's "certificate" does not match the address being visited. 

An example of what the message looks like is provided compliments of the anti-pharming Web site www.pharming.org.  Users should NEVER click "Yes" in response to such a window:

Again, users should NEVER click "Yes" in response to this type of window. 

Additional measures to help avoid pharming attacks include:

• Install and update personal firewall program (only protects against virus-type of pharming attacks). 

• Regularly run anti-virus and anti-spyware programs.

• Check for updates to your operating system and patches for other commercial software programs that address security vulnerabilities. 

Users of Microsoft Windows operating systems should be sure to check for updates at Microsoft's Web site, www.microsoft.com, and users of Windows XP can review built-in firewall options. 

In addition, there are a variety of free or low-cost firewall and anti-virus programs available for download.  Users can use search engines to read reviews of competing products for effectiveness, ease of use, and frequency of updates. 

Additional measures include:

• Carefully examine the supposedly secure portion of a Web site to be sure that the Web address in your browser gives a HTTPS secure site indicator, not just an unsecured HTTP indicator.

• Check the padlock icon by double clicking on it to determine who owns the security certificate of any questionable site.  Fake sites either will not have a certificate or the certificate will appear to be owned by an entity unrelated to the financial institution.

Changes in the login information on a financial Web site can also be an indicator of potential pharming activity.  If you are uncertain about a site, you may wish to contact your financial institution by telephone.

CONSUMER ID THEFT INFORMATION AND FILING A COMPLAINT

Consumers can take steps to reduce their risk and react effectively if ID theft strikes (see the Consumer Alert, "Identity Theft Information for Michigan Consumers"),

Additional consumer alerts and information on how to file a consumer complaint is available from the Attorney General's Consumer Protection Division:

Consumer Protection Division
P.O. Box 30213
Lansing, MI 48909

517-373-1140
Fax: 517-241-3771

Toll free: 877-765-8388
www.michigan.gov/ag (online complaint form)