Own a payed for domain? Beware of 'pharming'.

[PinkFloydYoshi]

Nyes. Just received some news from a friend of mine that a new type of internet fraud has started called 'pharming'.

This affects those who own .com, .net, .org and other top level domains.

Put simply, you'll know when it's been done to you when your domain points to somewhere else. What happens is basically, when the attackers DNS Server has changed it's information, this information is propagated throughout the internet across all the different DNS servers. There doesn't appear to be anything people can go to avoid getting 'pharmed' but just keep checking your whois entries often and check for incorrect information. Once something in your whois page changes, inform your host straight away.

If you own a domain on Geocities, tripod or another free provider, you wont be affected unless your host (Geocities, tripod, etc...) gets pharmed themselves. In that case, the issue would be catastrophic and thousands upon thousands of sites will go down, not just yours.

If you own a free account which you have a payed for top level domain to point to, you're affected.

Affected forms of domains:
www.yoursite.com
www.yoursite.com
www.yoursite.net
www.yoursite.org
www.yoursite.co.uk
yoursite.com
yoursite.net
yoursite.org
yoursite.co.uk

Unaffected unless 'yourhostssite' gets pharmed:
www.yourhostssite.com/yoursite
yourhostssite.com/yoursite
yoursite.yourhostssite.com

Common sense would also suggest that .tk domains are also affected.

Just thought I'd raise the alarm since this would affect yoshiart.com too.

[red.yoshi]

ouch, i would HATE to see that happened to yoshi art.

[PinkFloydYoshi]

Know whats even more worrying? It was a bunch of Nintendo site webmasters that emailed my friend. It appears they're targetting Nintendo sites.

It's a right pain because it doesn't matter wether the domain is locked or not, any top level domain is hijackable.

Apparently, this happened to ebay.de to assist with grabbing customer details (Also known as 'phishing').

[Lazo]

Is there anything we can do other than sit around and be worried about it?

[PinkFloydYoshi]

No, as it seems...

panix.com (an ISP/Web host) was hijacked not too long ago. Ownership of the domain went from New york to Austraila.

Panix has been in the hosting business since 1989, so if someone as experienced as them have this done to them, we're all going to have it sooner or later. It's just finding out your domain has been hijacked in enough time, else you'll have some severe downtime. I'm still doing some research into it. First I've heard about it to be quite honest.

[Soul]

Heh, first time I hear of this. Well,

but just keep checking your whois entries often and check for incorrect information

I do not think it works this way. The domain name would have its same DNS servers still listed, but they would be "poisoned" (set up to redirect to a different site). Usually, the method used to hijack a domain is this: Domain hijackers simply hack the email account listed in a domain's whois records (using keyloggers or whatever), then they initiate a transfer using a different registrar. The current registrar will send a message to the email listed in the whois record asking to confirm the transfer (which has been hacked). The hacker then clicks on the link in the email and completes the transfer (assuming the domain is not locked). If the domain is locked then none of this will work unless the hacker also has the domain owner's password for his current registrar's account. Still, it appears "pharmers" are using flaws deep within the worldwide registry/dns system to achieve their goals. Or perhaps they're simply hacking high-level DNS servers...

Panix has been in the hosting business since 1989, so if someone as experienced as them have this done to them, we're all going to have it sooner or later

No, I have to strongly disagree. Yoshiart.com will never be pharmed simply because there are no accounts that can be hacked, much less accounts that contain credit card or bank account numbers. Pharmers would rather hack a large site where there's lots of money, obviously. There is absolutely nothing they can gain by pharming a Yoshi fan site.

[yosivictor2004]

I songely agery www.yosiart.com

[PinkFloydYoshi]

Yoshi said:

Heh, first time I hear of this. Well,


I do not think it works this way. The domain name would have its same DNS servers still listed, but they would be "poisoned" (set up to redirect to a different site). Usually, the method used to hijack a domain is this: Domain hijackers simply hack the email account listed in a domain's whois records (using keyloggers or whatever), then they initiate a transfer using a different registrar. The current registrar will send a message to the email listed in the whois record asking to confirm the transfer (which has been hacked). The hacker then clicks on the link in the email and completes the transfer (assuming the domain is not locked). If the domain is locked then none of this will work unless the hacker also has the domain owner's password for his current registrar's account. Still, it appears "pharmers" are using flaws deep within the worldwide registry/dns system to achieve their goals. Or perhaps they're simply hacking high-level DNS servers...

Well, I dont see how ebay.de had it done. Surely the registrar would investigate if a domain which belongs to the busiest auction site in the world requested for it to point somewhere else. At least contact the owner of the domain directly.

No, I have to strongly disagree. Yoshiart.com will never be pharmed simply because there are no accounts that can be hacked, much less accounts that contain credit card or bank account numbers. Pharmers would rather hack a large site where there's lots of money, obviously. There is absolutely nothing they can gain by pharming a Yoshi fan site.

I know, but a lot is done for no reason. A TV program here showed a bunch of chav kid's beating the daylights out a metro. When asked why they did it, they said they didn't know. I know, it baffles me beyond belief as to why they would do it. They'd target sites like ebay or qxl.com mainly so they could increase the invisibility of being able to tell wether the email a user is reading is phish or the real thing. That'd be the sole reason, but random sites are done "Just for the heck of it".

I've done some messing around with Windows 2003's DNS server and apparently, it can use DNS Authentication, to prove to the server it's propagating itself to, that it is a trusted machine, and not another computer. If infact the net's high level DNS Servers are using authentication, then there's hacking involved. If not however, it leads me to ask, "Why not?".

[Soul]

If not however, it leads me to ask, "Why not?".

Because the skill level required to hack a high-level DNS server is a major deterrent. Anyone can go and break lights from a metro if they want to, they don't need any technical knowledge to do it. With high-level DNS servers it's not just a matter of wanting to, you have to know a lot of technical stuff like source code auditing, reverse-engineering, search for known/unknown vulnerabilities, write custom programs to carry out the exploiting, etc... it's like attacking a fortress (important DNS server) than a normal house (home computer).

I know, but a lot is done for no reason

The "hackers" that hack for no apparent reason are the script kiddies, the "digital chavs". Their knowledge about computers is just a few levels above the average PC user, which means they can't touch DNS servers. True hackers aren't typical chav kids looking for something they can have fun destroying, they are looking for money. i.e. if they steal confidential corporate information, they're doing it so they can sell it to that company's competition, and not just for the heck of it.

[red.yoshi]

yosivictor2004 said:

I songely agery www.yosiart.com

not to interupt...but you spelled that wrong dude...

www.yoshiart.com
not
www.yosiart.com

[Not-Garr]

Well, the way it seems to me, there is something we can do, if they pharm yoshiart.com, I know this sounds a bit..extreme, but why not counter-pharm it and get the domain back? That seems the most likely thing to do, other than using Outlook to download your e-mails from your server, delete the e-mails on the server, and keep your e-mail in Outlook...*shrugs* I'm not experienced in internet goings, so I'm not sure. But it sounds like it'd work.

[Soul]

if they pharm yoshiart.com, I know this sounds a bit..extreme, but why not counter-pharm it and get the domain back?

Because none of us knows how to hack a high-level DNS server

[Yoshi Vert]

Gee ... I've read an article about "pharming" on "infos du net". It is said that many websites like americanexpress.com, fedex.com and msn.com has been "pharmed" : data has been hijacked. This is the URL where I've read the article. Sorry it is in french

www.infos-du-net.com/actualite/4579-DNS-Pharming.html

Yoshi Vert