Pharming method that extorts personal information by abusing ‘Bookmark’, where one saves websites that he or she usually visits, makes appearance.

AhnLab (CEO Kwon Chi Joong) found Pharming malignant code that connects users to fake pages by changing addresses of bookmarked web browsers. Pharming is a method that first infects PCs with malignant codes and makes users to enter their financial information by connecting them to fake websites when they are trying to connect to their bank sites.

Many users usually mark sites that they usually visit as bookmarks, and there are many instances when they mark financial sites including portal sites as bookmarks. Pharming malignant code that was detected went after this fact.

Photo Image
<Fake web page that was made by copying actual financial site>

Out of users’ bookmarked links, assailants change links that either have bank names or particular words such as ‘bank’ as fake web page addresses. Because they go after bookmarked links, it is almost certain that users visit these bookmarked sites without any doubts. Assailants estimate number of infected systems by receiving IP addresses and operation system (OS) information when users access through fake websites, and malignant codes look for certificate routes within PCs and send them to FTP as compressed files if they are detected.

There are malignant codes within inside of fake web pages. When any menus are clicked, a warning window occurs by saying ‘To serve you in a much safer way, use of any internet banking, Smart banking, phone banking after 2014.3.24 (Mon) is only possible after additional verification (personal, business)’. If a user clicks ‘confirm’ button on a warning window, he or she is led to a page that extorts personal and financial information.

Site demands personal information such as name, social security number, phone number, and others and account number, password, user ID, certificate password, security card serial number, security card number, and others. Information that a user entered is sent to an assailant that made malignant codes.

Photo Image
<Fake web page that was made by copying actual financial website demands personal information and financial information excessively.>

Unlike previous malignant codes, Pharming malignant codes do not input malignant files into start programs or service area. Because these codes are not executed again after it is once executed, it is hard to know if a PC is infected. To prevent from Pharming attacks, one needs to install security update and protect his or her PC from Drive By Download attack, prevent installation of unnecessary programs beforehand, and always maintain latest anti-virus solutions.

Staff Reporter Kim, Insoon |