What is Pharming?

Browsing the Internet is second nature to human beings. So much so that as of April 2024, there were 5.44 billion people on the planet with access to the Internet. That’s around 68% of the world’s population. The ubiquitous nature of the Internet has come about partly because of a structure that makes it easy to use. Take the humble URL. Anyone who uses the Internet knows almost instinctively that you need to either click a link or type a search term or domain name into the URL bar, and hey presto, a website appears.

Cybercriminals exploit this fundamental structure and ease of Internet use in pharming.

TitanHQ explores pharming and how to protect your employees and businesses against its harms.

Is Pharming a Form of Phishing?

Like many forms of phishing, pharming is used to defraud people into handing over sensitive data that may include financial details. Pharming cuts out the phishing middleware, like malicious email links, and instead redirects users to a spoof website using other methods. The spoof website is made to look exactly like a specific brand to trick the user into trusting the site. Once on the site, the individual is tricked into entering sensitive data. Behavioral manipulation tactics are used to encourage data entry. Once data is submitted, the attacker behind the pharming site will steal that data to carry out further attacks, like identity theft or login to the actual version of the website being spoofed.

What is a DNS, and Where Does it Fit in Pharming?

Knowing a technology's underlying structure and protocols is always helpful to gain insight into its vulnerabilities. So, before diving into how pharming works, here’s a brief recap of how the Internet works, or at least the parts that pharming exploits.

Every device on the Internet has a unique identifying number known as an IP address. However, most humans are much better at remembering names than numbers. So, the Internet designers developed a system that could map these numbers to names, like Microsoft or TitanHQ. This system is known as the DNS (Domain Name Server).

A DNS lookup happens whenever you type a domain address into the URL bar or click a link that connects to a web address. The DNS translates the domain address, e.g., www.microsoft.com, into an IP address. This directs the user to the correct web server, which can then display the Microsoft website.

How Does Pharming Work?

Unlike phishing, pharming does not rely on an individual clicking a malicious link that takes them to a phishing website. Instead, pharming attackers use several techniques to manipulate the DNS system:

Host File Manipulation Through Malware: Every computer contains an operating system-level “hosts” file. This file is plain text and maps servers or hostnames to IP addresses. Pharming attackers exploit this file by installing malware on the user’s computer that modifies the host file. Malware can also be used to adjust URL statements when they are entered into the address bar. Either way, an individual is redirected to a malicious website without realizing it. Host pharming tends to be highly targeted.

DNS Cache Poisoning or DNS Spoofing: Attackers target the DNS resolver, exploiting vulnerabilities that allow them to “poison” the cache, i.e., inject incorrect data. A DNS resolver cannot verify that the cache is correct, allowing the attackers to change the domain names and IP address map. The result is that individuals are redirected to a spoof site.

Rogue DNS Servers: DNS is the core attack focus of pharming. An attacker can either create a rogue DNS server or compromise existing servers. Whenever a user navigates to a website, they are redirected to the malicious DNS servers that map to a fake IP address, taking the user to the spoof website.

Router DNS Compromise: If an attacker can compromise the DNS settings on a local network router, users connecting to the network will be redirected to malicious DNS servers that map to the IP address of a fraudulent website.

A successful pharming attack results in the theft of data such as personal information like name and address, login credentials, and often financial details like credit card information. Depending on the target of the pharming attacker, the data collected can then be used for identity theft, illicit financial gains, and further phishing and fraud.

Examples of Pharming in the Wild

Brazilian bank 2017: The DNS registrations of the entire portfolio of a Brazilian bank were changed by hackers. All the bank’s website domains were redirected to phishing sites. Hackers could steal bank login credentials using sites resembling real bank websites.

Multi-bank pharming attack 2007: 65 banks were the target of a sophisticated pharming attack. The attack targeted multiple IP addresses and DNS servers in four different countries, compromising over 1,000 computers. The attack used a mix of phishing to initiate malware infection and pharming to commit fraudulent attacks on customers.

What Should You do if You Have Been a Victim of Pharming?

If the worst scenario occurs and you believe your company may have fallen victim to pharming, you have several measures to mitigate the impact:

• Run a full anti-malware scan of your computer to identify and remove any malware. However, if this was a zero-day malware attack, the anti-malware may be unable to detect the malicious software.
• Clear your DNS cache.
• Change login credentials entered on the fake site.
• Report the attack to the spoofed organization, your ISP, and the relevant country authorities.

Learn More 

Further Reading

• Anti-Phishing Tools
• A Comprehensive Guide to Phishing Training for Employees
• Understanding Zero-Minute Phishing Protection

How Can TitanHQ Help?

Pharming attackers use the DNS system to evade detection by conventional security measures like web application firewalls and antivirus software. Because of the difficulty in identifying a pharming attack, companies use a defense-in-depth approach to pharming prevention. Measures to prevent pharming attacks include the following:

Security Awareness Training: Pharming attacks can present giveaway signs of something wrong. However, people must be trained on how to spot these signs. For example, security awareness training packages, like SafeTitan, provide training on safe internet use. The training packages offer interactive and fun sessions to engage and educate people. Employees and others can be taught to look for security signals such as prompts asking for personal data, wrongly configured URLs, and SSL certificate warnings.

Security Patches: Always keep security patches up to date. This helps prevent the exploitation of software vulnerabilities that lead to malware infection.

DNS Filtering: DNS filters block malicious URLs, so if an employee is redirected to a malicious website, it will not open. Advanced DNS filters like WebTitan prevent zero-day threats, which stop employee engagement with emerging and newly formed pharming sites.

Secure Routers: It is essential to change the default administrator password on your router and enable encryption for Wi-Fi networks. Also, ensure that firmware updates and patches are installed when they are available.

Other protective measures in a defense-in-depth approach to anti-pharming include using multi-factor authentication (MFA)