Pharming is a malicious and widespread type of cybercrime that can be used for identity theft or financial theft. Read on to learn about pharming and how confidential information is stolen.
What is a pharming attack?
Pharming is a type of cybercrime similar to phishing in that it's an attempt to steal personal information such as login details and account numbers through a spoofed website.
To carry out pharming attacks, cybercriminals exploit DNS servers to redirect traffic that a user want to use - hence a desired, legitimate site. The cybercriminals redirect the user to fake sites where they can steal the private information that a user enters on the fake site.
How does a DNS server work?
DNS is an abbreviation for Domain Name System. A DNS translates domain names into Internet IP addresses via so-called name servers.
- Every website on the internet has a number code called an IP address. The IP address enables computers to find a specific location, i.e. a website, on the Internet.
When you enter a domain address in the browser address bar, for example "www.google.com", the DNS server will translate the domain address into an IP address so that it can connect the computer to the website.
How does pharming work?
Pharming exploits the connection between a device and websites and sends a website's traffic to a fake website.
This exploitation can be done in two ways:
Malware pharming
Cybercriminals can install malware, such as a virus or Trojan, on a user's computer that modifies the computer's host files to direct traffic away from a secure site and instead redirect the user to a malicious site. Even if the user types the correct internet address on a website, the person is still redirected.
In this case, a victim may unknowingly be "at fault" for the installation if the victim has clicked on a fake pop-up advertisement or a link in a malicious email.
DNS poisoning
DNS poisoning happens when the DNS server is damaged by hackers - which allows them to redirect a lot of web traffic from multiple users to be redirected to fake websites. Unlike malware-based pharming, hackers don't have to enter and infect a user's computer.
Instead, they poison the DNS table of a server that handles requests from users who want to access a particular website. If it's a large DNS server that gets poisoned, it could affect a lot of people.
Pharming vs. phishing
Pharming is similar to phishing in that it is a malicious attempt to steal personal data from people. However, unlike phishing, little or no action is required on the part of the victim, as they don't have to click on a link in a phishing e-mail to get to a fake website. The word pharming is a combination of the words "phishing" and "farming", so your information is in a sense "harvested" without the characteristic manipulative part that is usually a big part of phishing.
What fake websites are used in pharming?
The malicious websites used for pharming mimic legitimate and well-known websites. The site typically contains logos, colours and fonts that come from the real site, in order to trick the victim. Often, it's websites that have transactions or financial activities such as online banks or e-commerce sites are used for pharming attacks. Hackers target these websites since it's information such as bank details they need for further hacking.
How to spot pharming
There are some signs that can reveal pharming, so it is important to be aware of these:
- Websites should have trusted bookmarks. Secure websites have an SSL certificate. You can tell if websites have an SSL certificate by looking at the URL. If it starts with HTTPS, it's secure. If, on the other hand, it starts with HTTP, then the website has not been validated and you cannot be sure that it is a good website or a fake one.
- Pharming websites will be designed to mimic legitimate websites. As mentioned, parhming websites are designed to look like legitimate websites. Often, there are small differences that can reveal them as fake. Sometimes the colours may be slightly different, the logo may be the wrong size, or there may be spelling mistakes. If you think a website looks a little different from the norm, check it out before you use it.
How to protect yourself from pharming attacks
Below are some tips and precautions to help protect yourself from pharming attacks:
- Use antivirus and antimalware software. By using software that can identify threats such as viruses, you can act immediately if these tools detect malware on your computer. It is important to choose a good antivirus solution that can be updated regularly.
- Use a secure DNS server. For many people, their default ISP is also responsible for their DNS. A standard DNS doesn't offer much protection against DNS poisoning, so it's worth switching to a specialised DNS.
- Use two-step authentication. This provides an extra layer of security and can protect you if your information is compromised.
- Never click on suspicious links in emails or pop-up ads on the web. To avoid installing viruses or other malware on your computer, always pay attention to the emails you receive.
- Check website addresses. By checking that the address is correct and does not contain discrepancies or errors, you may be able to detect if you have landed on a fake website.
- Use ASM (attack surface management).* By using ASM you create a better overview of your attack surfaces in your organization. You'll be better prepared for pharming attacks with an ASM plan.
Final thoughts
Pharming can be difficult to protect against, as a person can use a malware-free computer and still fall victim to pharming, which can end in:
- Identity theft
- Installation of (further) malware
- Financial loss
Therefore, the best advice to protect yourself from pharming is to practice general good cyber security and always keep an eye on the website addresses you access.
This post has been updated on 31-07-2023 by Sofie Meyer.
Sofie Meyer
Sofie Meyer is a copywriter and phishing aficionado here at Moxso. She has a master´s degree in Danish and a great interest in cybercrime, which resulted in a master thesis project on phishing.
View all posts by Sofie Meyer