What is a pharming attack? Basics and prevention

Anton P. | January 19, 2021

Pharming pursues the same goal as phishing: to harvest sensitive information, typically exploited for financial gain. However, the tactics selected are less prone to detection. Pharming overrides DNS configurations and drives web traffic to fake sites, mock-up versions of legitimate pages. Such attacks require minimal user interaction, and experts label them as “phishing without a lure.”

What is pharming?

A pharming attack is a malicious activity aimed at corrupting DNS resolution. DNS refers to the process of converting traditional URLs (google.com) to IP addresses associated with them. If hackers re-configure this translation, they replace legitimate IP addresses with the ones linked to bogus sites.

DNS-rewriting is a skillful cybercrime focused on operating quietly, without raising any suspicion for the victims. Since there are no attempts to prompt visits to specific domains, users feel secure with their final destination. However, since pharming poisons DNS mapping, even correct URLs will lead to fake look-alike versions. Typically, hackers hope to score hefty volumes of user data and credentials, helping them get monetary gain. Thus, rogue websites mimic digital banking or e-commerce services.

How does pharming work?

Malware-based pharming. It focuses on distributing malware capable of overriding hosts files on victims’ devices. These tactics typically mark smaller-scale attacks, limited to specific machines. The hosts file converts standard URLs into numeric strings. The malware adds fraudulent entries into it and pairs legitimate URLs with IP addresses associated with rogue sites.
DNS server poisoning. Instead of targeting individual devices, hackers can go for server-based attacks. Such pharming corrupts domain name requests at the DNS server level. Thus, devices relying on them are bound to be misdirected to malicious sites. Since victims type correct URLs, they have no reason to suspect spoofing. Due to its stealthy nature, DNS poisoning is incredibly dangerous. Unsuspecting users might deliberately give away their information to look-alike domains.

Pharming vs. phishing

While it strongly resembles phishing, experts treat pharming as more sophisticated due to its under-wraps implementation. Additionally, phishing relies on users’ reactions to falsely urgent and misleading messages. Pharming has no calls-to-action or clickbait elements as the main redirection to fake domains happens behind the scenes. Hence, it compromises security at the DNS level instead of relying on deceitful email campaigns.

While pharming does not coerce visits to rogue websites, the initial stages of these attacks might depend on social engineering. Malware-based attacks need a distribution channel for injecting DNS-rewriting viruses.

One pharming attack relied on malicious email messages urging victims to enter specific websites. Upon arrival, iframes with JavaScript exploited CSRF vulnerabilities in routers. As a fallback option, hackers performed brute force to run different credential pairs on routers. If flaws or username-password combinations gave access to router admin pages, criminals would substitute the primary DNS settings to rogue websites. In that case, Google’s public DNS became the secondary option, resolving requests even if fraudulent DNS rendered unavailable.

Thus, even though pharming and phishing represent distinct scam tactics, hackers could combine them. That makes your vigilance towards deceitful and dangerous email messages even more crucial.

What are the main dangers of pharming?

Credential theft. Since fake websites can convincingly mimic reputable services, visitors will log in without any hesitation. Sadly, hackers will capture the provided credentials instead. Then, criminals can perform account takeover, extract personal information, and make changes or transactions without victims’ consent.
Blackmail and extortion. If stolen accounts contain confidential information, culprits could blackmail victims in exchange for keeping it private. Criminals can threaten to expose data or to sell it on the black market if targets refuse to pay hefty sums.
Financial losses. Most pharming attacks reroute traffic to fake banking websites. After retrieving clients’ credentials, criminals can wire money to their accounts.
Credential stuffing. Extorted details could serve as a base for attempts to take over other accounts associated with your email. If you have reused the same password, hackers can access other services thanks to successful pharming.

How to prevent and mitigate pharming attacks?

Do not react to suspicious messages in your inbox. Malware-based pharming might use social engineering techniques to distribute malicious files. If you refuse to click on any links, you will prevent the DNS-overriding virus from reaching your system.
Look for HTTPS instead of HTTP. Hackers might not add the secure communication protocol (known as TLS) for the fake websites. The absence of HTTPS is a warning that the website might be dangerous. Hence, avoid submitting personal information or credentials on such domains.
Use two-factor authentication. 2FA limits the chances of account takeovers even if your credentials leak. Hence, use this option whenever possible as it will serve as an additional barricade against unauthorized access.
Change router passwords. Pharming attacks could rely on brute force to enter your router’s admin page. Luckily, you can make such attempts fruitless by assigning a unique and complex password for your router.
Use a VPN. Most large-scale attacks (that do not rewrite hosts files) depend on flaws in DNS services. By exploiting them, perpetrators can misdirect thousands of people in a highly stealthy way. A reliable VPN provider like Atlas VPN handles your domain name requests through its own DNS servers. What does this mean for you? Simply put, DNS servers supplied by your ISP will no longer be in charge of resolving DNS queries. So, even if the servers assigned to you by default suffer a pharming attack, your browsing remains unhinged. Thus, a VPN is a loophole to escape the aftermath of a router or DNS server corruption.