Social Engineering: Phishing/Pharming

Social Engineering

Social Engineering also known as hacking humans is a technique used by hackers that rely on weaknesses in humans rather than the internet/software/hardware. The idea is to trick a company's employee into revealing passwords or critical information that may be used to compromise security.

One of the ways it works is, the hacker finds as much information possible about an employee from the company's website including the phone number. Then calls the employee posing as a computer technician or a fellow employee with an immediate access problem and requesting password or username or other critical information.

Many organizations have reported cases involving visitors impersonating a telephone repair or network technician requesting access to a wiring closet or posing as a new employee at the help desk and asking critical information or asking to use your computer.  Other techniques include posing as regular employee and mentioning that they lost their ID card or keys and gain access to the company and collect information bit by bit.

Social engineering is an easy technique by which hackers gain access despite having expensive and powerful security systems.

Social Engineering Technique: Phishing

Phishing is a criminal activity using different variations of social engineering techniques. Phishers attempt to fraudulently acquire sensitive information, such as passwords and credit card details, by posturing as a trustworthy person or business in an electronic communication. Phishing is typically carried out using email or an instant message, although phone contact has been used as well. Attempts to deal with the growing number of reported phishing incidents include legislation, user training, and technical measures.

It is very common, that people have the same password for all their internet activity/accounts for ease of remembering. Hackers may send you an email with link to a sweepstakes website or similar website which require registration and asking to create a username and password.  So always create unique passwords for your work accounts different from your other outside personal accounts and keep changing it often.

Social engineering is an easy technique by which hackers gain access despite having expensive and powerful security systems.

A very good discussion on phishing is available here:

Damages From Phishing Attacks

The damage caused by phishing ranges from loss of access to email to substantial financial loss. This style of identity theft is becoming more popular, because of the ease with which unsuspecting people often divulge personal information to phishers, including credit card numbers, social security numbers, and mothers' maiden names. There are also fears that identity thieves can obtain some such information simply by accessing public records.

Once this information is acquired, the phishers may use a person's details to create fake accounts in a victim's name, ruin a victim's credit, or even prevent victims from accessing their own accounts.


There are several different techniques to combat phishing, including legislation and technology created specifically to protect against phishing.

  • Social responses

One strategy for combating phishing is to train users to deal with phishing attempts. One newer phishing tactic, which uses phishing emails targeted at a specific company, known as spear phishing, has been harnessed to train users at various locations, including West Point Military Academy. In a June 2004 experiment with spear phishing, 80% of 500 West Point cadets who were sent a fake email were tricked into revealing personal information.

Users who are contacted about an account needing to be "verified" can take steps to avoid phishing attempts, by contacting the company that is the subject of the email to check that the email is legitimate, or by typing in a trusted web address for the company's website into the address bar of their browser, to bypass the link in the suspected phishing message.

Nearly all legitimate email messages from companies to their customers will contain an item of information that is not readily available to phishers. Some companies, like PayPal, always address their customers by their username in emails, so if an email addresses a user in a generic fashion ("Dear PayPal customer") it is likely to be an attempt at phishing. Emails from banks and credit card companies will often include partial account numbers. Therefore, one should always be suspicious if the message does not contain specific personal information. Phishing attempts in early 2006, however, used such highly personalized information, making it unsafe to rely on personal information alone as a sign that a message is legitimate. Further, another recent study concluded in part that the presence of this information does not significantly affect the success rate of phishing attacks, suggesting that most users do not pay attention to such details anyway.

The Anti-Phishing Working Group, an industry and law enforcement association, has suggested that conventional phishing techniques could become obsolete in the future as people are increasingly aware of the social engineering techniques used by phishers. They propose that pharming and other uses of malware will become more common tools for stealing information.

  • Technical responses

Anti-phishing software is available that may identify phishing contents on websites, act as a toolbar that displays the real domain name for the visited website, or spot phishing attempts in email. Microsoft's new IE7 browser, Mozilla's Firefox 2, and Opera from version 9.1 will include a form of anti-phishing technology, by which a site may be checked against a list of known phishing sites. If the site is a suspect the software may either warn a user or block the site outright. Firefox 2 uses Google anti-phishing software, which may also be installed under IE6. Spam filters also help protect users from phishers, because they reduce the number of phishing-related emails that users receive. An approach introduced in mid-2006 (similar in principle to using a hosts file to block web adverts) involves switching to using a special DNS service that filters out known phishing domains, which will work with any browser.

  • Monitoring and takedown

Several companies offer banks and other entities likely to suffer from phishing scams 24/7 services to monitor, analyze and assist in shutting down phishing websites. Individuals can contribute by reporting phishing to both volunteer and industry groups, such as PhishTank.

  • Legal responses

In the United States, Democratic Senator Patrick Leahy introduced the Anti-Phishing Act of 2005 on March 1, 2005. The federal anti-phishing bill proposes that criminals who create fake web sites and spam bogus emails in order to defraud consumers could receive a fine up to $250,000 and receive jail terms of up to five years.

Social Engineering Technique: Pharming

Pharming is a hacker's attack aiming to redirect a website's traffic to another (bogus) website. Pharming can be conducted either by changing the hosts file on a victim's computer or by exploitation of a vulnerability in DNS server software. DNS servers are computers responsible for resolving Internet names into their real addresses - they are the "signposts" of the Internet.  The term pharming is a word play on farming and phishing. The term phishing refers to social engineering attacks to obtain access credentials such as user names and passwords. In recent years both pharming and phishing have been used to steal identity information. Pharming has become of major concern to businesses hosting ecommerce and online banking websites. Sophisticated measures known as anti-pharming are required to protect against this serious threat. Antivirus software and spyware removal software cannot protect against pharming. Pharming is becoming the attack of choice for today's hackers.

While malicious domain name resolution can result from compromises in the large numbers of trusted nodes that participate in a name lookup, the most vulnerable points of compromise are near the leaves of the internet. For instance, incorrect entries in a desktop computer's Hosts file, which circumvents name lookup with its own local name to IP address mapping, is a popular target for malware. Once rewritten, a legitimate request for a sensitive website can direct the user to fraudulent copy. Desktops are often better targets for pharming because they receive poorer administration than most internet servers.

More worrisome than host file attacks is the compromise of a local network router. Since most routers specify a trusted DNS to clients as they join the network, misinformation here will spoil lookups for the entire LAN. Unlike host file rewrites, local router router compromise is difficult to detect. routers can pass bad DNS information in two ways: malconfiguration of existing settings or wholesale rewrite of embedded software (aka firmware). Nearly every router allows its administrator to specify a particular trusted DNS in place of the one suggested by an upstream node (e.g., the ISP). An attacker could specify a DNS server under his control instead of a legitmate one. All subsequent resolutions will go through the bad server.

Protecting Against Pharming

The good news: pharming requires a lot more technical sophistication for the bad guys to pull off.

The bad news: There really isn't any protection available against pharming just yet.

If you suspect you have encountered pharming of a site, a simple windows hack will help tell.

  • Click on start > run > type "command" (without the quotes)

Once the command prompt opens

  • type "nslookup" (without the quotes) followed by a space, and the IP address you find questionable

If the domain name that comes up looks correct, then you are probably OK.  For technologically less savvy users, it may be beneficial to instead hand over the task of detecting an attack to somebody else; a recent proposal referred to as active cookies offers pharming detection in some instances.