Pharming and Phishing: A Real Threat to Law Firms
by Donna Payne of Payne Consulting Group
Given the ever increasing amount of junk mail, spam and other unsolicited e-mail that bombards
us on a daily basis, it can be time consuming and frustrating to try and separate the small
percentage of “legitimate” messages from the large piles of bogus ones. In order to try and
circumvent junk e-mail filters and other types of antispam software, spammers have become
progressively more sophisticated and wily in the methods they use to get us to read their
While spammers try to persuade you into buying or investing in a solution, there are more
dangerous attacks plaguing the online community. These attacks are known as pharming and
Pharming is the act of redirecting users to fraudulent websites or proxy servers. This is typically
accomplished through DNS hijacking or poisoning and occurs surreptitiously since the site looks
legitimate. For instance, a person may believe they are entering information on their online
banking or investment site when in actuality, they are providing sensitive data to someone who is
pretending to be from the organization.
Phishing can be defined as “the act of sending an e-mail to a user falsely claiming to be an
established legitimate enterprise in an attempt to scam the user into surrendering private
information that will be used for identity theft.” The bait in this case is the e-mail message. It is
thrown out (delivered to your inbox) with the hope that while most will ignore the bait, some will
be tempted into biting (responding).
In most cases that involve phishing, a bogus e-mail directs you to visit a website that closely
mimics a legitimate site you frequently visit, for example, an online shopping, or financial
services center. You are then asked to provide and update personal information, such as
passwords and credit card, social security and bank account numbers — information that the real
organization already has. The phony website then records and steals sensitive data.
Phishing and Instant Messenger
March 2005 marked a new level of sophistication for phishing attacks when Yahoo Instant
Messenger became the target vehicle. The attack begins when a user is sent a message from
someone on a buddy list directing him/her to a website and prompted to sign in. Phishers obtain
the user name and password strings to access and steal personal information stored as part of the
Dissect a Phisher’s Communication
The following example shows a phishing attack designed to steal sensitive financial account data.
I’ve provided the actual text of the message, and I’ll point out that there are quite a few tell-tale
signs that the e-mail is fraudulent.
We have recently noticed one or more attempts to log into your PayPal account from a foreign
IP address and we have reasons to believe that your account may have been hijacked by a third
party without your authorization.
If you recently accessed your account while traveling, the unusual login in attempts may have
been initiated by you. However, if you are the rightful holder of the account, click on the link
below to log into your account within the above-mentioned period.
If you choose to ignore our request, you leave us no choice but to temporaly suspend your
We ask that you allow at least 72 hours for the case to be investigated and we strongly
recommend to verify your account in that time.
If you received this notice and you are not the authorized account holder, please be aware that it
is in violation of PayPal policy to represent oneself as another PayPal user. Such action may
also be in violation of local, national, and/or international law. PayPal is committed to assist
law enforcement with any inquires related to attempts to misappropriate personal information
with the intent to commit fraud or theft. Information will be provided at the request of law
enforcement agencies to ensure that perpetrators are prosecuted to the fullest extent of the law.
Thanks for your patience and understanding as we work together to protect your account.
PayPal Account Review Department
PayPal, an eBay Company
1. Scare Tactics — The phisher tries to convince you that if you don’t respond as requested,
something bad will happen. In this case, someone is apparently attempting to log into your
PayPal account without proper authorization. These types of fear-based tactics are often
successful on the very young, inexperienced computer user and the elderly.
2. Misspelled Words and Grammar Errors — Grammatical errors and misspelled words
should raise a red flag. For example, temporarily is spelled incorrectly in the correspondence,
and there are other misuses of grammar and spelling. Often the phisherman’s native language is
not English. This is also a tactic used to get around certain spam filters that detect specific
keywords as junk e-mail.
3. Generic Name — Dear HR, Dear Info, Dear Invoices — these are all examples of the types of
phishing e-mails that I receive on a regular basis because of my inclusion on certain distribution
lists within the company. In reality, phishers use any e-mail address they can get their hands on.
If the e-mail is not personally addressed, there is a good chance that it is fraudulent. Even if the
message is sent directly to you, it could still be the product of a phishing attack. A general rule to
live by — if someone is trying to obtain information from you and you question the legitimacy
of the solicitation, look up the company telephone number and call them to verify that they have
authorized the collection of the data. Never give out your user name, password, mother’s maiden
name or other information that can be used for identity theft.
If a message is received from outside your organization, Internet header information is added and
accessible. I use Microsoft Outlook and Exchange Server and can access this information by
opening the message, then from the View menu, choosing Options and examining the Internet
E-Mail Headers, Real and Forged — Message headers are written in reverse with the
last SMTP server to touch the message before the final destination listed. In the example
that follows, Microsoft Exchange attempts to identify and match the IP to the SMTP
listed (smtp.emaruha.com to the IP 188.8.131.52). Since there was no match, the tag
RDNS failed was added. In fact, emarucha.com is a legitimate site (a Japanese restaurant)
but it doesn’t match the SMTP cited location and IP.
Sometimes secondary e-mail headers are added to try and make it through antispam
measures. Some signs of this include duplicate, identical IP addresses, and a string for the
server name which includes an @ symbol which normal servers cannot resolve.
Received: from smtp.emaruha.com ([184.108.40.206] RDNS failed) by
ourexchangeservername.payneconsulting.com with Microsoft SMTPSVC
(6.0.3790.1830);Wed, 6 Apr 2005 03:48:27 -0700 Received: (from root@localhost) by
smtp.emaruha.com (8.11.7/3.7W05032811) id j36Ao6A00988; Wed, 6 Apr 2005 19:50:06
+0900Date: Wed, 6 Apr 2005 19:50:06 +0900
Message-Id: <200504061050.j36Ao6A00988@smtp. emaruha.com>
Display Format — Since the attackers want you to think that the message is a legitimate
communication from the forged sender, they often embed real logos into the message that
make the correspondence appear more trustworthy. In order to accomplish this, they must
force the display format as HTML. Most authentic e-mails offer a plain text version to
allow mail user agent compatibility.
These are only two examples of information that is accessible in every externally originated e-
How Can You Protect Yourself?
There are varying levels of measures that you can take to protect yourself from phishing and
pharming attacks — but it all begins with education. Every member of your organization must be
aware (and kept abreast) of recent news concerning the safeguard of information.
Information Technology Response
DNS Lookup — IT Personnel can use nifty tools to perform a reverse lookup of IP and DNS
information. The site http://www.dnsstuff.com/ sniffs out real and fraudulent IP addresses and
traces origins. Type your IP address in the Reverse DNS Lookup box to locate information, or
you can open an e-mail received from an external source, choose View, Options and copy the IP
address from the Internet Header to the Reverse DNS lookup utility.
Patch That Hole — Ensure that your browser security and virus definitions are current.
Microsoft regularly releases security patches for Windows and Internet Explorer. For more
information, click Start, All Programs, Windows Update or go to
Education — Teach your users (all of them) to be suspicious of any e-mail or request for
personal information. Create and enforce a firm policy on the handling of e-mail and website
data entry. Keep updating and distributing information on a regular basis. Focus on the following:
Overview of Phishing, Pharming and Importance for Firm Communication
How to Differentiate Secure Sites from Those That Are Not Secure — Secured
websites are prefixed by “https.” Never make online purchases from sites that are not
When in Doubt, Don’t Click That Link — Embedded hyperlinks to websites in e-mail
messages, can, when clicked, hijack you to a fraudulent site where personal information
is requested, or to a legitimate site, after having passed you through other sites designed
to steal information (pharming) without your knowledge. If you receive a message from a
company requesting information, it’s a better idea to look up their telephone number and
verify that the request is legitimate.
Complain — You can report phishing and fraudulent e-mail attacks by forwarding the message
to email@example.com, firstname.lastname@example.org and to the company being spoofed.
Complaints to the FBI and affiliated Internet Fraud Complaint Center can be filed at
www.ifccfbi.gov. The site contains a link to file an online complaint.
At a recent security conference that I attended, Bill Gates and Symantec CEO John Thompson
spoke separately of initiatives that they would take to prevent the proliferation of phishing,
pharming, spam and viruses. Microsoft recently filed 117 “John Doe” lawsuits against phishing
site operators in an effort to curtail phishing and identity theft. The lawsuits were filed in federal
court in Seattle. Phishing and pharming are serious issues — fight their proliferation with
About our author . . .
Donna Payne is president and founder of Payne Consulting Group, headquartered in Seattle. She
and the company have authored 11 books on Microsoft Office including the bestselling series:
Word for Law Firms. Payne is a member of Microsoft Legal Advisory Council, the American
Bar Association, the American Society of Journalists and Authors and the Project Management
Institute. She can be reached at email@example.com.