Phishing and pharming represent fraudulent techniques to obtain confidential information (such as user name, password, credit card information, etc.) from computer users for misuse. In phishing, the phisher sends an apparently official electronic communication (such as an official looking email) to the victim. For example, if a phisher wishes to obtain confidential information to access a victim's account at XYZ bank, the email would typically come from an XYZ bank email address and contain official-looking logos and language to deceive the victim into believing that the email is legitimate.
Further, the phisher's email typically includes language urging the victim to access the website of XYZ bank in order to verify some information or to confirm some transaction. The email also typically includes a link for use by the victim to supposedly access the website of XYZ bank. However, when the victim clicks on the link included in the email, the victim is taken instead to a sham website set up in advance by the phisher. The sham website would then ask for confidential information from the victim. Since the victim had been told in advance that the purpose of clicking on the link is to verify some account information or to confirm some transaction, many victims unquestioningly enter the requested information. Once the confidential information is collected by the phisher, the phisher can subsequently employ the information to perpetrate fraud on the victim by stealing money from the victim's account, by purchasing goods using the account funds, etc.
Because phishers actually divert the victim to another website other than the website of the legitimate business that the victim intended to visit, some knowledgeable users may be able to spot the difference in the website domain names and may become alert to the possibility that a phishing attack is being attempted. For example, if a victim is taken to a website whose domain name “http://218.246.224.203/icons/cgi-bin/xyzbank/login.php” appears in the browser's URL address bar, that victim may be alert to the fact that the phisher's website URL address is different from the usual “http://www.xyzbank.com/us/cgi-bin/login.php” and may refuse to furnish the confidential information out of suspicion.
Pharming may be thought of as a specialized type of phishing attack in which there are, from the victim's perspective, no detectable changes to the domain name. In a pharming attack, the local DNS cache or DNS server is compromised, allowing a pharmer to associate a legitimate domain name (e.g., xyzbank.com) with the IP address associated with a sham website operated by pharmer. Since the DNS caches or DNS servers are mechanisms that are responsible for resolving domain names into IP addresses, the compromised DNS cache or DNS server would associate the host name xyzbank.com with the IP address 218.246.224.203 (i.e., the IP address of the fraudster's website in the previous example). Accordingly, when the victim types in the URL address www.xyzbank.com, the compromised DNS cache or DNS server would translate this URL address to the IP address 218.246.224.203 that is associated with the pharmer's sham website. Thus, even though the victim is taken to the pharmer's website, the domain address shown on the web browser's URL address bar still shows “http://www.xyzbank.com . . . ”. Therefore, it is impossible even for the most astute computer user to detect that a pharming attack is taking place.
One approach to detecting phishing and pharming relies on detecting the fraudster's URL signature (e.g., domain name and/or other characteristics), which may be acquired over time from spam emails and user reports. However, this approach is passive since it relies on the cooperation of users and can only detect known phishers. For newly created phishing websites, detection is not possible until the fraudster's URL signature is collected, such as after a user reports a phishing attack.
Another approach is to maintain an IP address list of well-known websites (i.e., an IP address white list), and to compare the IP address of an unknown website with the IP address white list. If the IP address of the unknown website is not in the IP address white list, the unknown website is flagged as potential phisher. However, the maintenance of such an IP address white list is time-consuming. Further, individuals and organizations often change their IP addresses for legitimate reasons. Since it is impossible to update the IP address white list in real time to keep up with IP address changes (assuming that the changes are reported at all), this approach is error-prone and suffers from a high percentage of false alarms.