What Is Pharming?

Pharming is a term used to describe a type of cyber-attack that redirects users to fraudulent websites or manipulates their computer systems to collect sensitive information. Also known as “pharmaceutical phishing” or “phishing without a lure,” “pharming” is a combination of the words “phishing” and “farming,” indicating the large-scale nature of the attack.

In pharming attacks, malicious individuals or groups utilize various techniques to deceive users and lead them to counterfeit websites that closely resemble legitimate ones, such as online banking portals, retail shopping platforms, or social media networks. The ultimate intention behind such attacks is to deceive users into divulging their personal information, such as usernames, passwords, credit card details, or other sensitive data.

Pharming is like phishing in that it is a threat that tricks users into divulging private information, but instead of relying on email as the attack vector, pharming uses malicious code executed on the victim’s device to redirect to an attacker-controlled website. Because pharming runs code on the victim’s computer, the attacker does not rely on the targeted user clicking a link or replying to an email. Instead, the malicious code directs the targeted user to the attacker’s website, eliminating the extra step of a user clicking a link.

Pharming is a sophisticated type of fraudulent activity that redirects internet users to fake websites to steal personal or financial information, such as login credentials, credit card details, or social security numbers. While pharming can take many forms, it’s generally carried out by using one of the following techniques:

• Malware infection: Malware such as computer viruses, Trojans, or keyloggers can be used to execute pharming attacks. These malicious programs can infect a user’s computer or network, alter DNS settings, or manipulate the host’s file. When users try accessing a legitimate website, they’re unknowingly redirected to a malicious site.
• DNS cache poisoning: Exploiting vulnerabilities in the Domain Name System (DNS) is another way cyber-attackers carry out pharming. DNS is responsible for translating domain names into IP addresses that computers understand. By poisoning the DNS cache, attackers can manipulate the mapping between domain names and IP addresses.
• Host file modification: Another technique involves altering the host’s file on a user’s computer or the DNS configuration on a local network. The host’s file is a local file on a computer that maps domain names to specific IP addresses. Attackers can modify this file to redirect users to malicious websites instead of legitimate ones.
• Rogue DNS servers: Attackers can set up rogue DNS servers or compromise existing ones. When users attempt to visit a legitimate website, their requests are redirected to these malicious DNS servers. The servers then provide fake IP addresses, leading users to fraudulent websites that mimic the real versions.

Once users are redirected to fraudulent websites, they’re often prompted to submit sensitive information that the attackers then capture. The attackers exploit this information for various malicious purposes, such as identity theft, financial fraud, or unauthorized account access.

There are two primary types of pharming attacks: DNS-based pharming and host-based pharming. Within each type are specific methods that attackers use. Let’s take a closer look at each:

• DNS Cache Poisoning: Attackers manipulate the DNS cache of DNS servers or routers to redirect the mapping of domain names to IP addresses. By injecting false DNS records into the cache, they can redirect users to fraudulent websites.
• DNS Server Compromise: With unauthorized access to DNS servers, attackers modify the DNS settings to alter the IP address associated with a domain name, thereby redirecting users to a malicious website.

• DNS Hijacking: Attackers compromise the DNS settings on a user’s computer or router to redirect their DNS requests to malicious DNS servers. These servers provide false IP addresses, leading users to fraudulent websites.
• Credential Pharming: Also known as credential harvesting or login credential theft, this type of pharming attack steals users’ login credentials by manipulating the DNS settings and host files or by employing other techniques to redirect users to fake websites that mimic legitimate ones.

Different types of pharming attacks can be combined with other social engineering techniques, such as phishing emails or deceptive website designs, to increase their effectiveness. By funneling unknowing users to fraudulent websites, attackers increase their chances of stealing information.

Pharming has been a prevalent cyber threat for several decades. Here are some of the most notable real-world examples of pharming:

• The DNSChanger Malware: This pharming attack infected millions of computers worldwide and redirected users’ web traffic to fraudulent websites. It modified the DNS settings on infected machines, redirecting users to malicious servers controlled by the attackers. This allowed them to intercept sensitive information and carry out various fraudulent activities.
• The Venezuelan Volunteer Attack: In 2014, a group of hackers launched a pharming attack against a Venezuelan volunteer organization. The attackers redirected users to a fake website that looked like the organization’s legitimate site and stole their personal information.
• An Attack Targeting 50 Banks: In 2007, a sophisticated pharming attack targeted more than 50 financial institutions. The attackers used a combination of malware and DNS server poisoning to redirect users to fake websites and steal their login credentials.
• Operation Ghost Click: In 2011, the FBI uncovered Operation Ghost Click. It involved a large-scale DNSChanger-based attack that infected over four million computers worldwide, redirecting users to fake websites and advertisements. The attackers profited from advertising revenue generated by the fraudulent activities.
• The First Drive-By Pharming Attack: In 2008, Symantec reported the first case of a “drive-by” pharming attack on a Mexican bank. The attackers used a vulnerability in the bank’s router to redirect users to a fake website and steal their personal information.

The ever-evolving nature of cyber threats means that new variations and advancements in pharming attacks are likely to emerge. This inevitability underscores the importance of staying vigilant and employing cybersecurity best practices to protect against such attacks.

Since pharming attacks don’t leverage email, malware is used to redirect users and steal data. The malware installation file must be executed first, and then it can run on the computer after every reboot. The malware should run well, but threat authors rarely test their software and often introduce bugs into the software. Bugs can cause unintentional crashes, reboots, blue screens of death, and other computer problems. Any bugs affecting the malware’s main functionality could render it ineffective at stealing data. Still, it could render your computer unusable.

Another method used with pharming is DNS poisoning. Malware changes the DNS settings on the local computer, redirecting users to a malicious site when they type a domain into the browser. Every computer connecting to the internet uses a configured DNS setting, and a DNS server stores the IP address for every domain on the internet. When browsers perform a lookup, they direct users to the IP address listed on a DNS server. In DNS poisoning, the IP address is linked to a domain on the attacker’s server.

In addition to staying alert to these warning signs, avoid clicking links in unsolicited emails or text messages and be cautious about entering personal information online.

Phishing and pharming are similar in that they trick users into divulging private information, but the mode used to deceive victims differs.

In a phishing attack, a threat actor crafts an email that looks like an official business to mislead users. The phishing email usually contains a link the user must click for the attacker to succeed. Phishing can also incorporate social engineering to enhance the effectiveness of the attack and increase the possibility of successfully stealing money or data from the intended victim.

In a pharming attack, no email message is necessary because malware runs as a background process on the computer, intercepting web requests and redirecting users to malicious websites. Besides the initial execution of the malware, no user interaction is necessary. Once the malware executes, it persists on the computer even after it’s been rebooted. Only malware removal tools can delete files that monitor user activity, show popups, or hijack browser settings.

To avoid being a pharming victim, the steps and best practices are similar to preventing viruses and other local machine malware. Always be suspicious of emails with attachments, especially executable files. Files that contain macros, such as Microsoft Word or Excel, could also run malicious code. You should block macros unless you know the file is from a trusted source.

A few additional best practices to prevent you from becoming a victim include:

• Use a secure DNS service to safeguard against DNS server poisoning, a common method used in pharming attacks.
• Keep your systems up-to-date with the latest security patches. Pharming attacks rely on known vulnerabilities in software, so keeping your software current can help prevent these attacks.
• Be cautious when entering personal information online. Make sure you’re on a legitimate, secure website before submitting any sensitive information, such as login credentials or financial data.
• Double-check website URLs before clicking any links or entering your information. Look for HTTPS in the URL and ensure the website address matches the legitimate site.
• Use two-factor or multifactor authentication whenever possible to add an extra layer of security to your accounts.
• Secure your home or office Wi-Fi networks by changing the default administrator passwords on your routers, enabling encryption (such as WPA2) for Wi-Fi networks, and regularly checking for firmware updates.
• Avoiding connecting to arbitrary public Wi-Fi networks or unknown hotspots, even when casually browsing the internet.
• Leverage trusted antivirus software and a VPN service (or VPN alternative) to protect yourself against malware and guard your privacy online.

Following these preventive measures and maintaining sound cybersecurity awareness can significantly minimize the risk of falling victim to pharming attacks.

While implementing technical measures and security practices is crucial in preventing pharming attacks, awareness is one of the best defenses against pharming. Recognizing suspicious warning signs, verifying the authenticity of websites, and identifying social engineering tactics are all human-reliant ways to better prevent pharming attacks and related cyber threats.

Pharming is much more effective than phishing because it doesn’t require the user to click a link. Nonetheless, phishing is still a popular attack vector for threat actors. Pharming is beneficial for threat actors with programming knowledge. Malware authors still need to spread malicious programs to targeted users, so email messages are used to spread the malware to intended recipients. After the malware executes on targeted user computers, an attacker can collect money or sensitive information from ads and malicious websites.

Whether through email or pharming, users should always avoid running executable files attached to email or files from unofficial software sites. Pharming and phishing aim to steal credentials or banking information, so avoid attachments and malicious software on suspicious websites.