Pharming – What It Is And How To Prevent It

By: Mary-Ann Eriksson Cyber Security | 13 April

Pharming is a dangerous type of phishing and online scam that cyber criminals use to steal sensitive personal information, such as usernames, passwords, and account numbers. Pharming is a sophisticated form of phishing as the attack can happen both without your knowledge or consent. In this blog post, we will present useful information about pharming that can help you recognize when an attack is taking place. We will also offer helpful tips for how you can protect yourself or your organization against pharming attacks.

What is pharming?

A common definition of pharming is an online fraud where cybercriminals manipulate your web traffic, making it possible for them to redirect you from your intended website to a fake website. Once you have entered the fake website, the attackers will usually try to trick you into giving up personal information and log-in credentials. The spoofed website might also load pharming malware onto your computer.

What happens during a pharming attack?

During a pharming attack, the final goal for cyber criminals is often identity theft. To achieve this goal, a two-step process is used. First, cyber criminals either install malicious code on the victim’s computer or corrupt their server without the victim’s knowledge. Second, the installed code or corrupted server will send the victim to a fake website. Because the redirection of web traffic to the fake website happens automatically, no actions such as clicking a link is needed from the victim. Imagine that you for instance type in www.google.com in your browser, but the connection gets hijacked, and you actually end up on a fake website. After this point, any information that you share on the fake website will be available to the cyber criminals.

Fake websites used in pharming

The fake or spoofed websites are designed to look and feel like real websites that the victim might recognize, making it easier to trick the victim into providing confidential information. The fake website might for instance try to resemble Amazon, using their well-known logo, specific colours and design to try to trick those that get redirected to the website. Most commonly, the spoofed websites will try to imitate financial sites, such as banks, or e-commerce sites to target the victim’s financial data.

How does pharming work?

Pharming takes advantage of the way that internet browsing works. Whenever we want to enter a website, the domain address, such as cyberpilot.io, must be translated by The Domain Name System (DNS) to an Internet Protocol address (IP address). The IP address makes it possible to read the location of the domain address you want to enter, allowing the web browser to connect to the DNS server and proceed with the connection. A pharming attack takes advantage of this process in two ways.

1. Malware-based pharming

Malware-based pharming is when you unknowingly pick up malware, like a virus or Trojan through malicious code sent in an email from a pharmer. Once you open a certain file or click on a link in the email, the malicious code gets installed on your computer. The malicious code then changes your computer’s local host files so that traffic can be redirected from an intended website to a fake one. This will happen even when you write in the correct domain address.

2. DNS server poisoning

DNS server poisoning is when the DNS server gets corrupted by pharmers, enabling web traffic to be redirected to fake websites. Unlike malware-based pharming, this technique does not rely on corrupting host files, instead it poisons the DNS table in a server that handles the requests from users to enter domains addresses, sending users to fake IP addresses. If a large DNS server gets poisoned, the pharming attack could affect a larger group of people.

An example of pharming

One famous example of a pharming attack involves Amazon Web Services (AWS) and highlights the dangers of this type of attack.

In 2018, a DNS server poisoning attack was set in motion against AWS. A number of DNS servers were hijacked, which made it possible for the cyber criminals to redirect traffic from several of the domains belonging to the AWS system. One of the most damaging outcomes of this attack focused on the cryptocurrency website MyEtherWallet.

When people entered this domain address into their web browser, they were taken to a fake website that looked very similar to the original one. The cyber criminals were therefore able to steal many of the user’s login credentials. Once these were captured, the pharmers could enter the user’s accounts and drain their funds. It is estimated that a total of $17 million worth of Ethereum was stolen during the attack.

Phishing and pharming – what are the differences?

Even though phishing and pharming are similar as they share the same goal of tricking victims into giving up personal information, the two however use different methods to achieve this.

Phishing is a scamming practise where cybercriminals send out deceptive emails or other types of direct messaging, urging you to click on the embedded link. This link is malicious and will take you to a fake website where you can be lured into giving away sensitive information. Once the information has been divulged, it will usually resort in identity theft and financial losses.

Pharming is a form of phishing, but it often requires limited, or even no conscious actions from the victim as their web traffic gets manipulated and automatically redirects them to the fake website. Therefore, the name pharming is a combination of the two words “phishing” and “farming”, suggesting that because no action is usually needed from the victim’s side to open a fake website, pharming is like phishing but “without a lure”. Pharming is more dangerous in comparison to phishing, as it is more difficult to protect yourself against.

Signs of pharming

There are two major giveaways for when a pharming attack is taking place. Below are the two signs that you should be on the look-out for.

An unsecure web connection. If a web address begins with HTTP, as opposed to HTTPS, you can be sure that something fishy is going on. The “S” in HTTPS stands for ‘secure’, ensuring that the website has been validated and can be trusted. Therefore, always make sure that https is written in the URL, and not http.

Websites that do not look right. Pharming websites will try to trick you into believing that they are legitimate, but there will often be something that does not look quite right. Check for slightly different logos, colours, spelling errors or other things that might look suspicious before giving away any information.

How to prevent pharming

Aside from being aware of the signs, listed below are some strategies that can be used to reduce the risk of pharming attacks.

Option to choose a more secure DNS server. For most people, their default internet service provider (ISP) is their DNS server. A traditional DNS server will usually not be able to prevent DNS poisoning from happening. It is however possible to choose a more specialized DNS server that offers greater security against DNS poisoning.
Use a good antivirus solution and anti-malware program. Choosing a good antivirus solution and anti-malware program is an effective way to protect against pharming attacks. It is important that your chosen solution can be updated so that you are sure to be protected even as the methods of pharming attacks evolve.

Avoid opening unfamiliar or suspicious-looking links or open attachments. A good general rule is to always avoid clicking on links from unknown sources. This will ensure that malicious software isn’t being installed on your computer.
Enable two-factor authentication. Many platforms and sites offer two-factor authentication, you should enable this for an extra layer of security whenever possible.
Change default password on router. It is important to change the default password on your router to avoid DNS poisoning. By changing the password to a stronger one, you will be able to protect your home network.

What more should organisations keep in mind?

As we now know, pharming is an extremely dangerous form of phishing that can have grave consequences for the victims. It is therefore important that everyone in an organisation is aware of pharming and learn both how to recognize a pharming attack as well as how to prevent one from happening in the first place. This way, your employees can become part of your defence plan against these types of cyber-attacks.

To achieve this, organisations can invest in awareness training, giving employees the necessary tools to recognize the signs of a pharming attack. Organisations can also work towards having a company culture where everyone feels safe to report suspicious instances that could be connected to pharming. This way, a pharming attack could be confirmed sooner rather than later and larger financial losses could be prevented.

Conclusion

After reading this blog post, we hope you have learned and understood what pharming is and how it works. You should now be able to recognize the signs of a pharming attack if it takes place. We have also shared some tips that you can implement to prevent falling victim to a cyberattack.

Also, remember that if your organization wishes to build a stronger defence against pharming, it is important that your employees learn how to recognize pharming attacks, and that awareness about cyber-threats is created. A great way of creating a culture of awareness in your organization is to invest in awareness training. If this is something your organization would be interested in, you can try out our 14 day free trial for awareness training. If you want to find out how prepared your organization is against phishing attacks, you can also have a look at our phishing training.