While cybercriminals continue to evolve their methods and tactics, one of the lesser-known yet dangerous threats has been pharming attacks.

Unlike traditional forms of hacking, pharming does not depend on malicious emails or suspicious hyperlinks. Instead, it hijacks website traffic to send unsuspecting users to fraudulent websites. Such websites are so well-designed that they look legitimate enough for the user to input sensitive information like passwords, credit card details, or social security numbers.

In this article, we will explain what pharming attacks are, how they work, what are the implications of pharming on cybersecurity, and how one can protect against falling prey to this covert danger.

Think there may be some harmful threats lurking in your mobile app? Verimatrix XTD provides 24/7 monitoring against threats so you can focus on growth, not breaches. Check it out here!

Pharming meaning and definition

Basically, pharming is a term derived from the combination of the words “phishing” and “farming.” While phishing involves tricking users through emails or fake links, pharming is really more advanced in nature, as it occurs even when users type the correct URL on their browsers.

Pharming is another form of cyberattack where the Domain Name System (DNS) settings are either tampered with by a hacker or the user’s device is compromised to redirect web traffic coming from a valid site to a fake one. Its objective is to harvest sensitive information, like login credentials or financial data, without letting the users suspect anything.

Pharming vs. phishing: What’s the difference?

Understanding the different concepts of phishing versus pharming is important for protecting yourself online.

Phishing

This is a method of luring someone into divulging personal information by sending fraudulent emails, messages, or fake websites. Phishing requires some form of active response from the victim to click on a link or download an attachment.

Pharming

On the other hand, pharming is an attack in which users are passively diverted to a fake website without the user’s knowledge. Unlike phishing, it doesn’t require any user interaction beyond entering a legitimate website address.

In other words, phishing is about social engineering, while pharming involves tampering with DNS settings or host files to redirect users.

What is pharming in cyber security? How pharming attacks work

Pharming bypasses traditional security measures via two main ways:

  • DNS poisoning: This happens when hackers gain access to the DNS server and alter its records. What this does is that once any user types a website URL, the DNS will point them to the fraudulent site instead of the right target.
  • Host file manipulation: This happens when the local host files of any user’s device are altered by the attackers. If a user tries to open any website, through the changed host file, they are taken to some fake website instead of the actual one.

Types of pharming attacks

A diagram that shows 4 types of pharming attacks.

While pharming attacks may sound like a straightforward threat, they can be manifested in different ways, with various techniques and tactics to compromise systems. 

Awareness of the following types of pharming attacks will be beneficial for both organizations and individuals in finding and, in turn, protecting against them.

DNS-based pharming

DNS-based pharming is a large-scale attack that targets the DNS, the system responsible for converting user-friendly domain names (like www.example.com) into IP addresses that computers use to communicate. By corrupting the DNS server, attackers can redirect users from legitimate websites to malicious ones without altering anything on the users’ devices.

Imagine a scenario where an attacker compromised any online banking service’s DNS records. In such a scenario, urgent attempts from users to access the bank’s website by correctly typing its URL would be redirected to a fake website designed to capture the login credentials. This malicious campaign could target thousands of users through a pharming attack and is very cumbersome to trace as this happens right at the DNS level.

How DNS-based pharming works:

  1. The attackers compromise the DNS server of an Internet Service Provider (ISP) or an internal DNS server within the organization.
  2. They manipulate the DNS records to connect the user to a fake site run by the attacker after typing the correct URL of a trusted site, such as a bank.
  3. The fake site would look precisely like the original but, in turn, asks for sensitive information/password/credit card numbers of its users.

Local pharming (host file poisoning)

Local pharming, also known as host file poisoning, is an attack that targets individual users’ devices. In such an attack, a certain modification is created in the host file on a computer belonging to a victim. The host file is a plaintext file that keeps a mapping of domain names to IP addresses before consulting a DNS server. 

How attackers gain access to the user’s device to manipulate this host file is by delivering malware or a trojan through a phishing email or infected software download. Once the device is infected, the trojan silently edits the host file, allowing the facility for web traffic to be directed without the DNS server being tampered with.

When the victim tries to access a trusted website—like www.examplebank.com, for example—they are automatically forwarded to a phishing site that looks precisely like the original site, capturing the login credentials.

How local pharming works:

  1. Attackers typically use malware, trojans, or malicious downloads to gain entry into a user’s system.
  2. They open the host file to edit it and replace typically trusted domains—a bank or social network, for instance—with the IP address of a fake site.
  3. When the members try to visit the actual website, they are forwarded to the fake site, even if they have entered the right URL address.

Hybrid pharming attacks

Some attackers combine elements of both DNS-based and local pharming to increase their chances of success. 

An attacker may attack an ISP’s DNS server while at the same time spreading malware via phishing campaigns that infect individual users’ devices. This dual approach can be used to ensure that users are presented with malicious sites from either the compromised DNS server or by relying on their host file.

How hybrid pharming attacks work:

  1. Attackers may first compromise a DNS server to perform large-scale traffic redirection.
  2. They install malware on users’ devices that tamper with the host files on it, so they continue to be routed to these fake websites even when they switch to another network or DNS server.

Cache poisoning attacks (DNS cache poisoning)

A variant of DNS-based pharming is DNS cache poisoning, wherein the DNS cache inside a router or individual device becomes the target of an attacker. 

DNS caching is a means of faster web browsing because DNS lookups are stored locally within the machine. However, if an attacker can poison this cache, then they could redirect users to a fake site without compromising the main DNS server.

For example, the users trying to reach their email provider in the case of a cache poisoning attack may get forwarded to a spoofed login page where the attackers collect email credentials of unsuspecting users. This can be quite dangerous in the case of shared networks, such as those in offices or open public Wi-Fi hotspots.

How cache poisoning attacks work:

  1. Attackers return malicious responses to DNS queries that, in turn, make the DNS cache store invalid IP addresses for a legitimately requested domain.
  2. Users of the poisoned DNS cache are delivered to malicious sites, even when the authoritative DNS server is not compromised.

Real examples of pharming attacks

In the past, pharming attacks have targeted many sectors, causing huge financial and reputational damage. Some notable examples include:

Global financial institutions attack (2007)

In 2007, cybercriminals conducted a highly organized pharming attack targeting 50 different financial institutions in various parts of the U.S., Europe, and Asia. Attackers managed to redirect users to fake websites in order to capture sensitive information, thereby eliciting significant financial losses.

Brazilian bank incident (2017)

In 2017, one of the major Brazilian banks suffered from a pharming attack in which it had all the incoming traffic from its legitimate website redirected to a counterfeit one. The data of its customers was easily compromised, pointing to some vulnerability in DNS security.

Venezuelan volunteer data breach (2019)

In 2019, a pharming attack was perpetrated against the volunteer-sign-up webpage for the “Voluntarios por Venezuela” campaign in order to redirect users toward fake registration. This resulted in the unauthorized collection of personal data from many volunteers.

How to prevent pharming attacks

Pharming attacks can be prevented by taking cybersecurity measures, enhancing user awareness, and proactive monitoring. Here are a few effective strategies:

Implement DNS security extensions (DNSSEC)

 DNSSEC adds an authentication layer to DNS, which helps users be directed to accurate IP addresses; this technique allows for protection against DNS spoofing.

Run regular DNS audits

 Periodically check DNS settings for unauthorized changes that may indicate a pharming attempt.

Software update

 Update operating systems, browsers, and all other software on a routine basis to keep up with patches in the vulnerabilities a hacker could exploit.

Firmware updates

 Network devices, like routers and switches, should have the latest firmware; this will also help in avoiding attacks from known exploits.

Antivirus and anti-malware software

 Implement reputable security software able to detect and block, or at least quarantine, malicious code that would affect host file or DNS settings.

Intrusion Detection Systems (IDS)

 IDS can be implemented to monitor network traffic and look for suspicious activities that may show evidence indicative of pharming attacks.

Security awareness training

 Train employees and users to recognize a pharming attack, such as unexpected website redirects or security certificate warnings.

Safe browsing practices

 Verify the authenticity of website URLs for the inclusion of HTTPS before entering sensitive information.

HTTP Strict Transport Security (HSTS)

 Apply HSTS to ensure that users connect over a secure connection and to prevent them from connecting to sites over unsecured HTTP.

Anomaly detection

 Establish mechanisms to detect abnormal traffic flows that would lead to indications of DNS poisoning or unauthorized redirects.

Log analysis

 Regularly review server and network logs for signs of tampering or unauthorized access attempts.

Change default credentials

 Similar to other network devices, default usernames and passwords on routers need to be changed to prevent unauthorized access.

Disable unnecessary services

 Turn off unused services and ports to reduce the potential entry points for attackers.

Conclusion

Pharming attacks have the potential to cause severe damage if not handled correctly. Understanding how these pharming attacks work and the differences between phishing and pharming may better position you to take care of yourself and your organization from a possible threat. 

Whether you’re developing a mobile application or want to keep your cybersecurity posture up to date, Verimatrix XTD can help. Experience the benefits of comprehensive, worry-free threat detection, and make sure your applications stay protected 24/7.