What Is Pharming?

Pharming is like phishing in that it is a threat that tricks users into divulging private information, but instead of relying on email as the attack vector, pharming uses malicious code executed on the victim’s device to redirect to an attacker-controlled website. Because pharming runs code on the victim’s computer, the attacker does not rely on the targeted user clicking a link or replying to an email. Instead, the malicious code directs the targeted user to the attacker’s website, eliminating the extra step of a user clicking a link.

Pharming involves hijacking the user’s browser settings or running a background process that automatically redirects users to a malicious site. The attacker uses redirects or popups on the user’s desktop that display the phishing website in a masked link. In many cases, the attacker’s goal is to get financial data or the user’s authentication credentials, so the redirect triggers when the user navigates to a banking website.

For example, an attacker can use malicious code to monitor user web activity to trigger a redirect to a spoofed banking site. When a user enters their bank domain into the browser address bar, the pharming code hijacks the user’s activity and redirects the browser to an attacker-controlled website with the same look and feel like the official bank account. Users rarely look at the domain in the browser’s address bar, so it’s an effective attack to steal user financial data, including their credentials.

Another common example is redirecting users to another website when a search engine is entered into the browser. The attacker uses a malicious search engine to redirect users to ad sites or a specific phishing website. This can be done by hijacking browser resources or detecting when users navigate to a particular financial site.

Since pharming attacks don’t rely on email, malware is used to redirect users and steal data. The malware installation file must be executed first, and then it can run on the computer after every reboot. The malware should run well, but threat authors rarely test their software and often introduce bugs into the software. Bugs can cause unintentional crashes, reboots, blue screens of death, and other computer problems. Any bugs that affect the main functionality of the malware could render it ineffective at stealing data. Still, it could also affect operations on your computer, leaving you unable to use it.

Another method used with pharming is DNS poisoning. Malware changes the DNS settings on the local computer, redirecting users to a malicious site when they type a domain into the browser. Every computer connecting to the Internet uses a configured DNS setting, and a DNS server stores the IP address for every domain on the Internet. When browsers perform a lookup, they direct users to the IP address listed on a DNS server. In DNS poisoning, the IP address is linked to a domain located on the attacker’s server.

Phishing and pharming are similar in that they both trick users into divulging private information, but the mode used to trick victims is different. In a phishing attack, a threat actor crafts an email that looks like an official business to mislead users. The phishing email usually contains a link that the user must click for the attacker to be successful. Phishing can also incorporate social engineering to enhance the attack and increase the possibility of successfully stealing money or data from the intended victim.

In a pharming attack, no email message is necessary because malware runs as a background process on the computer, intercepting web requests and redirecting users to malicious websites. Besides the initial execution of the malware, no user interaction is necessary. Once the malware executes, it persists on the computer even after it's been rebooted. Only malware removal tools can delete files used to monitor user activity, show popups, or hijack browser settings.

Stealing data is a fundamental goal for an attacker, but stealing credentials gives a third-party complete control of your account. Having control of an account could be much more valuable. For example, obtaining account credentials on an email account provides an attacker far more information than just stealing sensitive information from a targeted user.

In a phishing attack, users are tricked into sending their credentials to a threat actor via email. In a pharming attack, users aren’t tricked into navigating to a malicious website. Instead, the attacker steals data using malware background processes or automatically sends a user to a phishing website in their browser.

Pharming is much more effective than phishing because it doesn't require the user to click a link. Nonetheless, phishing is still a popular attack vector for threat actors. Pharming is beneficial for threat actors with programming knowledge. Malware authors still need to spread malicious programs to targeted users, so email messages are used to spread the malware to intended recipients. After the malware executes on targeted user computers, an attacker can collect money or sensitive information from ads and malicious websites.

Whether it’s through email or pharming, users should always avoid running executable files attached to email or files from unofficial software sites. Pharming and phishing aim to steal credentials or banking information, so avoid attachments and malicious software on suspicious websites.