What Is Pharming?
Pharming is online fraud that involves the use of malicious code to direct victims to spoofed websites in an attempt to steal their credentials and data.
Pharming is a two-step process that begins with an attacker installing malicious code on a victim’s computer or server. That code sends the victim to a spoofed website, where they may be tricked into offering their personal data or login credentials for a website or online service. Pharming does not require a user to open a website themselves because they are automatically redirected to the attacker’s spoofed site.
How Pharming Works
Pharming works by exploiting the mechanics that enable people to browse the internet. The Domain Name System (DNS) translates the domain names or web addresses that people type in their web browsers into Internet Protocol (IP) addresses, which enable computers to read them. An IP address tells computers what a website’s location is, then their web browser connects to a DNS server that holds the IP address.
When an internet user visits a specific website, their web browser stores a DNS cache of that website, so it does not have to revisit the DNS server every time the user wants to visit the same website in the future.
The DNS cache and DNS server are both vulnerable to pharming attacks by cyber criminals.
Types of Pharming Attack
There are two main types of pharming attack that cyber criminals use to target and exploit weak DNS caches and servers. One attack vector involves the installation of malware, while the other is a more traditional approach that aims to corrupt or poison the DNS cache and server.
In malware-based pharming, internet users often unwittingly pick up malware, such as a Trojan horse or virus, through malicious email or software downloads. The downloaded malware will covertly reroute the user to a fake or spoofed website created and managed by the attacker. When people access the site, the attacker sees all the personal data or login credentials they enter.
In this pharming process, malicious code sent via email resides on a user’s computer and begins modifying and corrupting locally hosted files, as well as changing stored IP addresses. These corrupted files will then be able to automatically direct a user’s computer to attackers’ fraudulent websites rather than the legitimate website they want to visit.
DNS Server Poisioning
The DNS serves to direct users’ website requests to the correct IP address. But when a DNS server is corrupted, it will direct website requests to alternate or fake IP addresses.
Unlike the malware-based approach, DNS server poisoning does not rely on individual files being corrupted. Instead, it exploits vulnerabilities at the DNS server level. The attacker poisons the DNS table, which then redirects users to a fraudulent website, often without their knowledge. The corruption of a large DNS server can result in cyber criminals targeting and scamming larger groups of victims.
DNS cache poisoning rewrites the internet’s rules around the flow of traffic to websites by redirecting traffic to attackers’ spoofed websites. Cyber criminals can achieve this through DNS hijacking, which enables them to target multiple users on DNS servers and unprotected routers, especially free or public Wi-Fi networks.
Pharming vs. Phishing
Phishing and pharming are not the same thing. Pharming evolved from phishing and takes a more focused approach than regular phishing attacks. It is also much more dangerous than phishing, as attacks are designed to hide attackers from users.
Phishing attacks lure victims into giving up their data and credentials through malicious emails, texts, and other forms of direct messaging. Phishing attackers target victims by sending messages purporting to be from a trusted sender and that express urgency around their need to click on a hyperlink. That website will be spoofed to look legitimate, enabling the attacker to intercept data that users enter or steal any information they input, such as usernames and passwords that can be used to commit wider identity theft. Phishing can be hugely impactful on businesses, typically resulting in data breaches that cause financial and reputational damage.
A pharming attack is more targeted and involves a two-step process to exploit victims. They begin with an attacker installing malicious code on a victim’s computer or server. That code sends the victim to a spoofed website, where they may be tricked into giving up their personal data or login credentials for a website or online service. Again, pharming does not necessitate a user to open a website, as they are automatically redirected to the spoofed site.
How to Protect Yourself from Pharming
The best way to protect organizations and users from pharming attacks is to install, run, and maintain antivirus and anti-malware software from trusted providers.
However, there are several best practices that can help users stay safe online and avoid the considerable risks of pharming. Proven strategies that allow organizations to protect themselves against pharming include:
- Deploy a reputable anti-virus solution: Trusted anti-virus software should contain tools that can not only detect but also block anomalous or suspicious behavior and malware. It should also be able to update to keep pace with the ever-evolving cybersecurity threat landscape and to ensure an organization is constantly protected from the latest pharming attack vectors. However, it is important to remember that not all antivirus, anti-malware, or spyware removal solutions protect organizations against pharming attacks, so additional tools may be required.
- Trust a trusted anti-virus: When a reputable anti-virus solution issues a warning about visiting specific websites, that advice needs to be adhered to. Even if the website looks legitimate and is a site the user has visited before, the warning indicates there is a problem with the website and it may have been infected.
- Use a trusted internet provider: Reputable and trustworthy internet service providers (ISPs) automatically filter bogus pharming redirects, which prevents users from ever visiting pharming websites. It is therefore crucial to only sign up for internet services from trusted ISPs. ISPs new to the market may offer great deals and super-high speeds, but check whether they are as dedicated to security as established providers.
- Use secure websites: Hypertext Transfer Protocol Secure (HTTPS) means traffic that visits a website is encrypted and cannot be intercepted by an attacker. This is signified by the “https” at the start of a Uniform Resource Locator (URL) or web address. Only trust websites that use HTTPS, especially when performing a financial transaction.
- Avoid suspicious websites: When browsing the internet and visiting websites, it is crucial for users to deploy good judgment. They should stick to websites they know and trust, and avoid websites that look suspicious. It is also important to evaluate sites that appear to be legitimate but do not quite look the same as usual, which is usually a telltale sign that you are on a pharmer’s website. In this case, users should take the time to click around the website to check that all the regular pages are present. Look for smaller details like privacy policies and terms of service.
- Check website URLs for mistakes: An obvious sign of a pharmed website is spelling mistakes in URLs. Pharming attackers will often disguise their websites with minor edits to the URL, such as swapping or replacing letters.
- Avoid unknown links: Other attackers will use website URL shorteners, such as Bitly, to hide the fact that their website is spoofed. It is therefore crucial to never click a shortened web link in an email or other direct message, and generally avoid clicking links from unknown sources and even people that appear to be trusted senders, whenever possible.
- Avoid unusual e-commerce deals: E-commerce or e-shopping deals that look too good to be true are often just that. A popular tactic used by pharming attackers is to lure victims in with prices that drastically undercut popular, legitimate e-commerce sites. These offers should be treated with suspicion, and users should carry out price and comparison checks with other competing sites before they make a purchase.
- Use secure VPNs: Virtual private networks (VPNs) that use reputable DNS servers will help users avoid the risk of pharming attacks targeting DNS cache poisoning.
- Change default passwords: Consumer routers and wireless access points come with default passwords that could be used across multiple similar devices. This poses a serious security risk if hackers can get hold of those passwords. Organizations and users must change the default passwords on their devices, and replace them with secure, unique passwords.
- Enable authentication: Passwords alone are not a secure practice for protecting users against popular attack vectors. Organizations must add an extra layer of security to their online accounts using two-factor authentication (2FA) and multi-factor authentication (MFA). When a user enters their login credentials to an online service, they are then prompted to enter an additional piece of information that proves they are who they say they are. This is typically some form of security question or a code sent either to their phone or on an authenticator application.
How To Know if You Are Pharmed
The sophisticated nature of pharming attacks can result in users not realizing they have become victims until long after the hack occurred. However, pharming attacks will typically show signs that users can spot:
- Unsecure connections: Any website that begins with “http,” which stands for Hypertext Transfer Protocol, as opposed to “https” is a good sign that a website is either unsecure or could have been corrupted.
- A website feels wrong: If a site has spelling errors, unusual or unfamiliar fonts and color schemes, or just looks different, there is a high chance it is not legitimate and is a spoofed site.
- Security alerts: If a user falls victim to a pharming attack, they may receive a request to confirm whether a new sign-in came from them. Email providers and banks, for example, can detect origins from unusual or new devices or locations. If a user receives one of these requests that was not caused by them, they should confirm to the provider that they did not make the request and report the fraud.
In the event that a pharming attack is successful, there are some strange activities that may occur. These include:
- Unexpected charges on credit cards, debit cards, or PayPal accounts
- Password changes on social media and other online accounts that were not initiated by the user
- New posts or sent messages on social media services that users did not create or send
- New friend requests with people that a user did not add on social media
- New programs appearing on a device that a user did not download or install
A good example of a sophisticated pharming attack was a 2007 event that targeted 50 financial organizations. The attack involved the creation of spoofed websites that mimicked the legitimate sites of the banking organizations it targeted.
It exploited a vulnerability in Microsoft software, which lured customers to malicious sites, then downloaded a Trojan and additional files from servers in Russia. The fake sites also sent users’ login credentials to the Russian servers and infected around 3,000 computers in three days.
How Fortinet Can Help
Fortinet protects organizations from pharming attacks by protecting their DNS servers with its FortiGate platform. FortiGate secures DNS servers with an antivirus solution, firewall rules, and intrusion detection and prevention, which reduce exposure to attacks and prevent DNS cache poisoning. Fortinet also enables users to strengthen their online security through FortiAuthenticator, which ensures only they are able to access their online accounts and data, even if a hacker steals their password.
What is pharming?
Pharming is a type of online fraud that directs victims to spoofed websites in an attempt to steal their credentials and data.
What is pharming and phishing?
Pharming and phishing are different types of cyberattacks that aim to steal users’ data and infect their devices with malware. Phishing attacks lure victims to spoofed websites through direct messages.
Why is it called pharming?
Pharming is so called because it is a combination of the words "phishing" and "farming."