Social Engineering Knowhow 4: The murky alleys of Pharming

Social Engineering Knowhow 4: The murky alleys of Pharming

In this blog, we would discuss the most unpredictable and infamous phishing technique called Pharming to carry forward with our Social Engineering Knowhow series. Pharming is a portmanteau of the words phishing and farming, and get identified as one of the most notorious social engineering attacks. Unlike other social engineering techniques such as Phishing, SMiShing, or Vishing, Pharming doesn’t require any human interaction to hoodwink its victims.

In a nutshell, Pharming, popularly known as drive-by Pharming, gets widely used against the home, SOHO, and SME users primarily via two methods- DNS server poisoning and malware driven Pharming. 

DNS Server Poisoning

To understand how a pharming attack gets executed via poisoning a DNS server, you should know all about a DNS server. 

DNS or Domain Name System servers are computers, services, or other resources connected to a private network. These servers are primarily responsible for directing your internet traffic to a legitimate server IP addresses of any website you have requested. 

DNS functions quite alike the contact app of your smartphone. The contact app saves a person’s number combined with their name, so whenever we need to call someone, we search for the respective persons’ name and tap on it. Once you tap on the title, the contact app would place a call to the connected number associated with it. 

Similarly, when you enter a website URL (such as www.k7computing.com) in the address bar of a web browser, the DNS system comes into play. It converts the URL into a corresponding IP address (for instance, 126.81.206.69). 

A DNS system keeps all the pre-visited URLs combined with the corresponding IP addresses and gets known as a DNS cache.

And through a DNS cache poisoning method, an attacker can swap all the legitimate IP addresses that exist on the DNS Server with malicious website IPs. 

DNS Server Poisoning- How it Works

Modern pharming attacks are also capable of exploiting common security vulnerabilities found in a home, SOHO, and SME routers to gain access to the admin console. Once compromised, the con artists modify the DNS setting of the compromised router redirecting to their DNS server. The Pharming process involves forging the DNS cache and changing the DNS server settings to ensure that whenever a victim navigates to any website. The corrupt DNS cache would redirect the traffic to a fraudulent site to do the damage. 

Money-motivated cybercriminals often use DNS poisoning pharming attacks to execute Denial of Service (DoS) attacks and steal personal, business, and banking information. DNS poisoning system also gets prevalently used to implement man-in-the-middle attacks and to install malware into the system. 

Malware driven Pharming

Unlike the DNS Server poisoning method, malware powered pharming attack lures the victim primarily via email-phishing. 

The cybercriminal often tricks the victims via a legit-looking email loaded with a malicious link or attachment. Once the victim clicks on the link or downloads the attachment, the payload reroutes the victims’ internet traffic to a malicious impersonated website. It also obtains complete control over the victim’s internet traffic. 

In malware driven pharming attacks, the malicious payload rewrites the local host files of the victims’ machine to ensure the internet traffic gets driven to fraudulent sites regardless of the website URL they type on the browsers address bar. 

Detecting a Pharming Attack

Due to the complex structure of its kill chain, pharming attacks are tough to detect and get by. Sophisticated pharming attacks often succeed to mislead the system installed firewall and continue its operation. Modern pharming attacks are also tough to identify for their clandestine nature. To stay safe from any such sophisticated cyberattacks, SOHOs, SMEs, and Enterprises should educate its employees about basic cyber hygiene principles.

The cybersecurity education and awareness program should elaborate on modern attack trends, detection measures to identify a fishy site, and things to do if they encounter anything malicious. 

Go-to Guide for the Admins

Administrators should also keep track of each connected device to the network and the vulnerabilities they introduce. Many commercial routers and embedded systems exist with commonly known unpatched vulnerabilities, thus often sets the red carpet for the con artists.

Running systems on dated and unpatched operating systems or application software could also lead your network to breaches.

You should always pay close attention to emails and never click or share any suspicious email with attachments.

Watch out for the websites you or your users’ visit. Malicious websites often intend to deliver malware payloads or browser extensions triggered to modify your DNS cache. 

Patch all the routers installed on your network. If any router manufacturer has stopped offering updates, you should either swap the router with the latest one or download a third-party firmware available for the router. 

You should also ensure that each URL you visit doesn’t have any typographical errors. Make sure the site has an HTTPS at the beginning of the URL. 

Notice the website logo, content structure, font size, and color layout to find out if anything is fishy. 

Flash your DNS cache by navigating to Start>>run or press key sequence Windows+R. Once the run dialogue box appears, type CMD and hit enter. Type ifconfig /flushdns and press enter button. You can also flash your system DNS cache via Windows PowerShell through the command Clear-DnsClientCache

Finally, ensure all your systems have a trusted endpoint security software like K7 Endpoint Security. 

Social Engineering Knowhow 3: All you need to know about Vishing and SMiShing

Social Engineering Knowhow 3: All you need to know about Vishing and SMiShing

Continuing the trail of our social engineering series, we will discuss the two most prolific and emerging phishing tactics – vishing and SMiShing in this blog. 

Through this post, we offer you an insight into the nuances of the two infamous methods and the conventional attack vectors they use alongside a set of simple-to-follow tips to protect your network.

Cyber-attacks exploiting social engineering techniques are not new. Cybercriminals practice a variety of methods to lure victims. And SMiShing and vishing are emerging as the most common and popular infection vector for quite a few years. Though the operation process of both the attack methods is quite simple, they are quite impactful in stealing our data. In reality, many of us have already experienced similar attacks at some point in our life.

What is SMiShing?

SMiShing or SMS phishing is a devious process to gain information. It gets leveraged through messages via SMS, MMS, social messenger, or instant messengers like WhatsApp. In contrast, vishing or voice phishing schemes get pitched through voice calls over a telephone or VOIP connection. 

SMiShing has grown exponentially over the past few years following the popularity of Internet-connected phones across the world. However, vishing has been there for decades, but with time, it has transformed itself into a lethal tool to hack into people’s lives.

Interestingly, both the methods bank on human emotion and involve numerous manipulation techniques to compel its victims to take urgent action.

Read More: Social Engineering And The Psychology Of Falling Prey To Cybercriminals

Real Life SMiShing Scenario

Through SMiShing or SMS phishing, cybercriminals send authentic-looking fake messages and embed a malicious URL or an email address. The content usually reads convincing and authentic to compel the user to respond to the threat actor’s intension.

For example, the latest SMS in my phone inbox via a regular number reads as, “CONGRATULATIONS! YOUR WHATS APP NO HAS WON RS 2 CRORE 75 LAKH IN THE WHATS APP GLOBAL AWARD 2020. TO CLAIM, SEND NAME:ADD:MOB NO:JOB:AGE: TO rbidelhi@rbigov.org.in.

For better understanding, I have kept the exact caps sequence and the spelling used on the message. With such alluring words, users with limited cybersecurity knowledge might feel compelled to follow through with the fraudsters’ instruction.

If you pay attention to the message in detail, you can find several discrepancies such as-

  • Why should WhatsApp spell its name wrong? It’s WhatsApp after all, not WHATS-APP.
  • Nobody sends a message in all caps.
  • An official message usually maintains proper grammar and spaces in between.
  • Why the heck would RBI (Reserve Bank of India) be interested in the unbeknownst WhatsApp Global Awards 2020?
  • If you miss these primary symptoms of a phishing message, a basic web search about RBI (Reserve Bank of India) would tell you that the RBI’s official domain name is rbi.org.in and not rbigov(.)org(.)in as mentioned in the message.

Unlike the example mentioned above, many modern smishing messages maintain authenticity through zero typos or grammar mistakes. Even so, you should carefully inspect and read through each message before following any instructions. If the message holds a shortened URL or a fishy email ID, delete it or report and block the number.

Read More: Everything You Should Know About Phishing

Social Forwards

Unfortunately, Smishing messages do not limit themselves to text messages only.

Following the popularity of social media and instant messengers, cybercriminals have become quite active in various other platforms, looking for potential victims.

Unlike SMS-based smishing methods, social media-based smishing messages tempt the recipients to forward an alluring message loaded with sarcastic, humorous, or shocking content.

The Murky Lanes of Vishing

Vishing or voice phishing is an effective and active social engineering technique. Vishing schemes often used to obtain the necessary information to infiltrate into an Enterprise network. Like SMiShing, vishing activities, too, are spreading fast across social media platforms.

For example, a few months ago, a voice call was doing the rounds in WhatsApp. The caller pretended to be an official representative from the Amitabh Bacchan hosted game show KBC (Kaun Banega Crorepati), and congratulating random WhatsApp users with winning a lottery of INR 25 Lakh. In order to transfer the prize money, the fraudster sought bank account numbers and a photograph of the bank debit card.

In 2019, a cybercriminal mimicked a CEO’s voice using an artificial intelligence software and asked its employees to transfer a fund worth roughly $ 243,000 to a fraudulent account. The artificial intelligence technique used in the attack is called Deepfake, which can impersonate anybody’s voice using a one-minute voice file of the victim.

Ways to protect yourself from smishing and vishing

  • If you come across any finance-related frauds, report the incident to Anti-fraud cell India on 8585063104.
  • Never entertain any messages or calls from unacquainted persons.
  • Read every incoming message from any banking, game show awards, or large enterprises.
  • Lookup for the URL, email ID, and phone numbers you receive using an online search before clicking on it.
  • Never call back on the fraudulent message sender. Blocking the number could prevent the person from sending similar messages or place a call from the same number.
  • Large enterprises seldom obtain information from their customers via phone calls or emails. 
  • Double-check the authenticity of the sender or caller before passing on your valuable personal or financial information.
  • SOHOs, SMEs, and Enterprises should be watchful about the new and emerging attack vectors and upgrade its defense strategy accordingly.
  • Embrace a cybersecurity awareness program for all your employees.