Pharming for profits

Computerworld - SAN JOSE -- Following Deep Throat's advice to "follow the money," hackers today are committing fraud at alarming rates, using sophisticated, multilayered "pharming" botnets that point to the need for new forms of authentication to secure e-mail originators as well as Web site destinations.
A four-member panel of cybercrime fighters dissected the ominous "phishing without a lure" pharming attacks in an "eCrime Calling" workshop at the InBox e-mail security conference here, co-sponsored by the Anti-Phishing Working Group.
Oliver Friedrichs, security manager at Symantec Corp.'s security response center, said the increase in pharming attacks has produced a steep rise in cybercrime statistics.The company's DeepSight global Internet sensor network recorded a 360% increase in phishing or pharming e-mails during the last half of 2004. DeepSight's 2 million honeypots and 4,000 devices recorded 9 million phishing e-mails for the last half of 2004, dwarfing the 2 million identified in last year's first six months. In a phishing scam, e-mail messages that look like they come from a legitimate Web site, such as a bank, are sent to users to lure them into entering sensitive information.
"It's a huge turn of events, from hacking for fun to hacking for profit," Friedrichs said. Phishers are taking advantage of "drive-by" installations, he said, injecting malware into some of the 21 vulnerabilities identified in Internet Explorer in the last half of 2004, as well as the 13 vulnerabilities identified in the Mozilla and Firefox browsers. The drive-by browser exploits place the infected machines into remote-controlled zombie botnets.
DeepSight analysis shows that 54% of all malware is designed to harvest confidential information from users, up from 44% in the second half of 2004 and 36% in the first half, Friedrichs said. Once infected, the top targets of the botnets are financial services companies followed by manufacturers.
"Phishers are sending e-mail with confidential information to multiple fake Web sites appearing to be an eBay or PayPal," said Jon Oliver, MailFrontier's director of research. "The sending botnets are being formed in many cases before the fake servers have been installed. The sophistication has grown tremendously."
Panelist Dan Hubbard, director of research at Websense Inc., said the "profit motive for phishing is very sizable. The hit rate is high, and the financial returns are quite good" as phishers develop more-sophisticated, "all-in-one" payloads that can proxy a server with a fake Web site, log keystrokes and redirect traffic.
Pharming attacks are the most ominous, said Scott Chasin, chief technology officer at MX Logic. Pharming, or maliciously redirecting a browser to a site