What is pharming

Pharming sounds like a fairly innocent practice, but this isn’t the kind that involves animals and crops. Pharming refers to a type of cybercrime in which the user is sent to a fake website instead of a legitimate one. Once the victim lands on the fake site, the ultimate goal is usually that they will hand over personal information, for example, account login credentials or banking information. This information can then be used in crimes such as account takeover fraud and identity theft.

Sounds a lot like phishing, right? We’ll go into more detail below, but a major difference between the two is that a phishing site will be on a different URL than the site it’s mimicking, whereas pharming involves redirection at the DNS level.

Because you’re not clicking on or entering the wrong URL, pharming can be very difficult to spot. However, we have some tips to help ensure you don’t get caught out. In this post, we’ll discuss exactly what pharming is and its similarities to phishing. We’ll also provide advice to help ensure you don’t hand over information in a pharming attack.

What is the definition of pharming?

The word “pharming” is derived from “phishing” and “farming.” This type of attack has also been called “phishing without a lure.”

To understand pharming, we need to discuss the Domain Name System (DNS). Every website is denoted by at least one IP address (a string of numerical characters). But we don’t enter an IP address to visit a website; we use domain names instead. DNS servers are responsible for translating domain names to IP addresses. Once the IP address is known, your browser will connect to the server with that IP address.

DNS servers are typically operated by internet service providers, tech companies like Google, and VPN providers.

To save your computer the trouble of checking a DNS server every time you visit a website, known IP addresses are often stored locally in a DNS cache on the router or the computer itself.

There are two main types of pharming: malware-based and DNS server-based.

Malware-based pharming

In this type of attack, the malicious pharming code finds it way onto your computer. It may be delivered by a download or link click, for example in an email. Once the code is in place on your device’s local host files, each time you try to visit a particular website, you will be automatically redirected to a fake site.

Clicking a malicious link sounds a lot like a straightforward phishing attack. However, when you click a link in a phishing email, that link takes you directly to the phishing site, rather than installing malware on your device. And to visit the fake site a second time, you would have to once again click on the malicious link.

With pharming, once the malware is installed, every time you try to visit the legitimate site, you’ll be redirected to the fake one. Indeed, even if you get rid of the malware, due to DNS caching, you will still land on the fake site. That is, until you clear your DNS cache.

Malware-based pharming was used in a large 2007 attack against customers of 50 financial institutions. Victims were lured into visiting a site that hosted code designed to exploit a Windows vulnerability. Vulnerable computers were then infected with malware that included files from a Russian server.

If the victim tried to visit one of the affected banking sites, they would be redirected to a fake site where they would enter login credentials. The credentials were sent to the Russian server and the victim would be logged in to the real site. Everything looked normal from the user end, making the attack very difficult to spot.

With login credentials in hand, the hackers could then log in and hijack victims’ bank accounts.

Pharming via DNS poisoning

This type of pharming is more difficult to prevent by the everyday user because it happens at the DNS server level rather than at the device level. Cybercriminals can exploit vulnerabilities to corrupt a DNS server. Once it’s corrupted, the hackers can redirect any traffic running through the server to alternate addresses of their choice, for example, fake versions of legitimate websites.

Diagram that shows DNS spoofing.

Unlike in phishing attacks or malware-based pharming, there is no social engineering required to get the user to the fake site, which removes one big hurdle for attackers. The victim simply needs to believe the bogus site is legitimate. By poisoning a large DNS server, criminals could potentially target a huge number of victims simultaneously. This is where the “farming” part comes in.

What is the difference between phishing and pharming?

While pharming and phishing are closely related, here’s a summary of the main differences:

 PhishingMalware-based pharmingDNS server poisoning
URLDifferent URL to real siteURL in address bar is same as real siteURL in address bar is same as real site
Attack vectorA link in an email that takes you to a malicious site*An email attachment or link that installs malware on your device (then visiting a legitimate URL takes you to the fake site)DNS server is attacked so no user action is required (visiting a legitimate URL takes you to the fake site)
ComplexitySimple for anyone to set up but fairly easy to spotMore difficult to execute and harder to identifyRequires advanced techniques and difficult to spot
Frequency and scopeOne-time attack on a single user (each instance requires user action, although many victims can be targeted simultaneously with a mass email)Repeated attack on a single user (once the malware is installed on the device, no further user action is required)Repeated attack on multiple users (once the DNS server is poisoned, anyone trying to visit the legitimate site is affected)

*Note that there are other types of phishing that don’t involve link clicks, for example, an email that simply asks you to respond with personal information.

How you can avoid pharming schemes

While some pharming schemes can be difficult to spot, there are steps you can take to protect yourself.

Here’s how to avoid pharming attacks:

  1. Watch out for malicious emails
  2. Check for red flags on websites
  3. Use an antivirus software and firewalls
  4. Perform regular updates
  5. Use two-factor authentication
  6. Change your router password

Let’s look at these in more detail:

1. Watch out for malicious emails

With phishing and pharming emails becoming increasingly sophisticated, it can be tough to spot them. That said, there are some common indicators to look out for. For example, poor spelling and grammar should definitely raise eyebrows. Also, check the sender’s email address to ensure it exactly matches the domain name of the company it’s purportedly coming from.

You should avoid clicking links in emails altogether, but if you are tempted, you can check where the link is pointing by hovering the mouse pointer over the anchor text.

If in doubt about the authenticity of an email, contact the relevant company directly. But remember to use contact information found in an independent web search as the email could include false information such as a fraudulent phone number or email address.

2. Check for red flags on websites

If you do click through to a website, check to see if it’s the real deal. With phishing sites, a slightly misspelled URL is often a clear indicator that something is awry. But, as we learned above, you won’t get this clue with a pharming site. One thing you can check is that the site is secure (it starts with “https” instead of “http”). Although, some attackers may be sneaky enough to use HTTPS, so this isn’t always reliable.

The HTTPS symbol on the Facebook website.
The Facebook website has “https” and a padlock symbol.

While cybercriminals do create some very convincing sites, they may have missed some of the finer details. Examples of common red flags include out of date copyright information, missing pages, and poor navigation. Of course, these things are easier to spot if it’s a site you visit regularly.

3. Use antivirus software and firewalls

Antivirus software typically includes anti-malware which will stop recognized malicious software entering your system. It may also be able to detect malicious pharming code once it is already in the system. In addition, it will prevent you from visiting sites that are known to be insecure.

If you don’t already have a solid antivirus, McAfee, Norton, and Bitdefender are some popular options.

Firewalls are helpful too; they act as a line of defense by closing ports to prevent malicious traffic entering your device. They can also stop data leaking from your device. Operating systems usually have a built-in software firewall, and many routers have built-in hardware firewalls.

If needed, there are lots of third-party firewall options such as offerings from AVS Firewall and ZoneAlarm Free Firewall 2019.

4. Perform regular updates

While updates can seem like an annoyance, they generally have good reasons behind them. Most importantly, new iterations of software patch security vulnerabilities, to keep your device safe.

If you’re prompted to update your operating system or application software, it’s best to do so sooner rather than later. This will help protect you against not just pharming schemes but other forms of malware designed to exploit vulnerabilities in your system.

5. Use two-factor authentication

Two-Factor Authentication (2FA) and Two-Step Verification (2SV) are offered by an increasing number of platforms. When enabled, these require an additional step be taken to log in to an account. For example, in addition to entering login credentials, you might also have to enter a one-time code that you receive via text or email. Or a second step could be something like a fingerprint or retina scan.

This means that even if a cybercriminal does get their hands on your username and password via a pharming scheme, they won’t be able to access your account.

This is also a good reason to use different passwords on every account. This way, if one account is compromised, you don’t need to worry about others being accessed via credential stuffing techniques. If you’re having trouble dealing with multiple passwords, a password manager like LastPass or KeePass can help.

The LastPass homepage.

6. Change your router password

Some pharming schemes involve attacks at the router level. Routers are prime targets for cybercriminals as they are often secured with default credentials, making them easy for attackers to compromise.

If you didn’t change your router password when you first installed it, or you’re unsure, it’s wise to do that as soon as possible. There are other steps you can take to make your router more secure, including keeping the firmware up to date, using the strongest available encryption, and switching off WPS (Wifi Protected Setup).

What to do if you’re a victim of pharming

Even if you follow all of the above steps, it’s still possible that you might fall victim to a pharming attack. If you suspect you have come across an attack, here are some steps you should take:

  • Run your antivirus software or a malware scanner to check for malware on your system.
  • Use a malware removal tool if you discover malicious software.
  • Clear your DNS cache. Even if the offending malware has been removed, you could continue to be redirected to the fake site until your cache is cleared.
  • Inform your Internet Service Provider (ISP) if you believe there is a server-level attack.
  • Switch to a third-party DNS server provider if you’re not happy with those your ISP uses. Cloudflare is one option, but others include OpenDNS, Google Public DNS, and Comodo Secure DNS.