Table of Contents
Definition of Pharming
Pharming is a term used to describe a type of cyber-attack that redirects users to fraudulent websites or manipulates their computer systems to collect sensitive information. Also known as “pharmaceutical phishing” or “phishing without a lure,” “pharming” is a combination of the words “phishing” and “farming,” indicating the large-scale nature of the attack.
In pharming attacks, malicious individuals or groups utilize various techniques to deceive users and lead them to counterfeit websites that closely resemble legitimate ones, such as online banking portals, retail shopping platforms, or social media networks. The ultimate intention behind such attacks is to deceive users into divulging their personal information, such as usernames, passwords, credit card details, or other sensitive data.
Pharming is like phishing in that it is a threat that tricks users into divulging private information, but instead of relying on email as the attack vector, pharming uses malicious code executed on the victim’s device to redirect to an attacker-controlled website. Because pharming runs code on the victim’s computer, the attacker does not rely on the targeted user clicking a link or replying to an email. Instead, the malicious code directs the targeted user to the attacker’s website, eliminating the extra step of a user clicking a link.
Cybersecurity Education and Training Begins Here
Here’s how your free trial works:
- Meet with our cybersecurity experts to assess your environment and identify your threat risk exposure
- Within 24 hours and minimal configuration, we’ll deploy our solutions for 30 days
- Experience our technology in action!
- Receive report outlining your security vulnerabilities to help you take immediate action against cybersecurity attacks
Fill out this form to request a meeting with our cybersecurity experts.
Thank you for your submission.
Once users are redirected to fraudulent websites, they’re often prompted to submit sensitive information that the attackers then capture. The attackers exploit this information for various malicious purposes, such as identity theft, financial fraud, or unauthorized account access.
What Are the Different Types of Pharming?
There are two primary types of pharming attacks: DNS-based pharming and host-based pharming. Within each type are specific methods that attackers use. Let’s take a closer look at each:
- DNS Cache Poisoning: Attackers manipulate the DNS cache of DNS servers or routers to redirect the mapping of domain names to IP addresses. By injecting false DNS records into the cache, they can redirect users to fraudulent websites.
- DNS Server Compromise: With unauthorized access to DNS servers, attackers modify the DNS settings to alter the IP address associated with a domain name, thereby redirecting users to a malicious website.
- DNS Hijacking: Attackers compromise the DNS settings on a user’s computer or router to redirect their DNS requests to malicious DNS servers. These servers provide false IP addresses, leading users to fraudulent websites.
- Credential Pharming: Also known as credential harvesting or login credential theft, this type of pharming attack steals users’ login credentials by manipulating the DNS settings and host files or by employing other techniques to redirect users to fake websites that mimic legitimate ones.
Different types of pharming attacks can be combined with other social engineering techniques, such as phishing emails or deceptive website designs, to increase their effectiveness. By funneling unknowing users to fraudulent websites, attackers increase their chances of stealing information.
What Are Examples of Pharming?
Pharming has been a prevalent cyber threat for several decades. Here are some of the most notable real-world examples of pharming:
- The DNSChanger Malware: This pharming attack infected millions of computers worldwide and redirected users’ web traffic to fraudulent websites. It modified the DNS settings on infected machines, redirecting users to malicious servers controlled by the attackers. This allowed them to intercept sensitive information and carry out various fraudulent activities.
- The Venezuelan Volunteer Attack: In 2014, a group of hackers launched a pharming attack against a Venezuelan volunteer organization. The attackers redirected users to a fake website that looked like the organization’s legitimate site and stole their personal information.
- An Attack Targeting 50 Banks: In 2007, a sophisticated pharming attack targeted more than 50 financial institutions. The attackers used a combination of malware and DNS server poisoning to redirect users to fake websites and steal their login credentials.
- Operation Ghost Click: In 2011, the FBI uncovered Operation Ghost Click. It involved a large-scale DNSChanger-based attack that infected over four million computers worldwide, redirecting users to fake websites and advertisements. The attackers profited from advertising revenue generated by the fraudulent activities.
- The First Drive-By Pharming Attack: In 2008, Symantec reported the first case of a “drive-by” pharming attack on a Mexican bank. The attackers used a vulnerability in the bank’s router to redirect users to a fake website and steal their personal information.
The ever-evolving nature of cyber threats means that new variations and advancements in pharming attacks are likely to emerge. This inevitability underscores the importance of staying vigilant and employing cybersecurity best practices to protect against such attacks.
What Is Pharming Malware?
Since pharming attacks don’t leverage email, malware is used to redirect users and steal data. The malware installation file must be executed first, and then it can run on the computer after every reboot. The malware should run well, but threat authors rarely test their software and often introduce bugs into the software. Bugs can cause unintentional crashes, reboots, blue screens of death, and other computer problems. Any bugs affecting the malware’s main functionality could render it ineffective at stealing data. Still, it could render your computer unusable.
Another method used with pharming is DNS poisoning. Malware changes the DNS settings on the local computer, redirecting users to a malicious site when they type a domain into the browser. Every computer connecting to the internet uses a configured DNS setting, and a DNS server stores the IP address for every domain on the internet. When browsers perform a lookup, they direct users to the IP address listed on a DNS server. In DNS poisoning, the IP address is linked to a domain on the attacker’s server.
In addition to staying alert to these warning signs, avoid clicking links in unsolicited emails or text messages and be cautious about entering personal information online.
Phishing vs. Pharming: What’s the Difference?
Phishing and pharming are similar in that they trick users into divulging private information, but the mode used to deceive victims differs.
In a phishing attack, a threat actor crafts an email that looks like an official business to mislead users. The phishing email usually contains a link the user must click for the attacker to succeed. Phishing can also incorporate social engineering to enhance the effectiveness of the attack and increase the possibility of successfully stealing money or data from the intended victim.
In a pharming attack, no email message is necessary because malware runs as a background process on the computer, intercepting web requests and redirecting users to malicious websites. Besides the initial execution of the malware, no user interaction is necessary. Once the malware executes, it persists on the computer even after it’s been rebooted. Only malware removal tools can delete files that monitor user activity, show popups, or hijack browser settings.
Following these preventive measures and maintaining sound cybersecurity awareness can significantly minimize the risk of falling victim to pharming attacks.
Awareness Is the Best Defense Against Pharming
While implementing technical measures and security practices is crucial in preventing pharming attacks, awareness is one of the best defenses against pharming. Recognizing suspicious warning signs, verifying the authenticity of websites, and identifying social engineering tactics are all human-reliant ways to better prevent pharming attacks and related cyber threats.
Pharming is much more effective than phishing because it doesn’t require the user to click a link. Nonetheless, phishing is still a popular attack vector for threat actors. Pharming is beneficial for threat actors with programming knowledge. Malware authors still need to spread malicious programs to targeted users, so email messages are used to spread the malware to intended recipients. After the malware executes on targeted user computers, an attacker can collect money or sensitive information from ads and malicious websites.
Whether through email or pharming, users should always avoid running executable files attached to email or files from unofficial software sites. Pharming and phishing aim to steal credentials or banking information, so avoid attachments and malicious software on suspicious websites.
Subscribe to the Proofpoint Blog