The Anatomy of Pharming and How to Prevent It

‘Pharming’ is a type of cyberattack that uses malicious software to redirect traffic from a seemingly legitimate website to a fake one belonging to an attacker. For a pharming attack to be successful, the attacker must either modify the hosts file on the victim’s computer or take advantage of a vulnerability in the DNS server software.

Pharming attacks can result in the theft of confidential information, identity theft, the compromise of system security, and, of course, can cause damage to a company’s reputation. In recent years, pharming attacks have become more common, as hackers are increasingly targeting medium and large organizations with lucrative data holdings.

In this article, we will dive deeper into what pharming is, how it works and how to prevent this sophisticated cyberattack from happening before it gets a chance to endanger your company’s IT infrastructure.

What Is Pharming?

Pharming is a cyberattack designed to trick users into visiting a fake website by downloading and installing a malicious program on their devices. Pharming can be carried out by altering the hosts file on the victim’s computer or by taking advantage of a flaw in the DNS server software. The term ‘pharming’ is a neologism that comes from the words: ‘phishing’ and ‘farming’, according to Wikipedia.

A pharming attack can be particularly damaging because it exploits a vulnerability that has the potential to compromise a large number of users. For example, a pharming attack against a website that allows users to submit online forms could allow attackers to steal login credentials and other sensitive information from unsuspecting users.

Pharming has increasingly become a major risk, especially to businesses that host e-commerce and online banking websites, since this type of cyberattack is specially created to harvest sensitive data such as login credentials, credit card information, emails, and more.

How Does Pharming Work Exactly?

Pharming exploits the process that occurs each time we browse the internet. The Domain Name System (DNS) is responsible for converting human-readable domain names (web addresses) into machine-readable IP addresses.

When we try to reach a certain website, our computer’s browser will connect to a Domain Name System (DNS) server, which will provide the IP address necessary to access it. In order to save time and avoid unnecessary network traffic, browsers keep a cache with the domain name server (DNS) response for each website a user visits. Threat actors can launch pharming attacks targeting both the DNS cache and the DNS server.

In terms of strategy, threat actors usually rely on two methods to perform a pharming attack:

1. Malware-based pharming. This happens when a hacker sends malicious code via email and, if opened, installs a virus or Trojan on the recipient’s machine. This malicious code modifies the computer’s hosts file and diverts traffic from its intended destination to a bogus one. The main characteristic of this method is that the compromised hosts file will redirect the user to the malicious site, even if the address was typed correctly.
2. DNS Poisoning. This method is used by cybercriminals to alter a server’s DNS table in such a way that many visitors are tricked into visiting a spoofed version of a legitimate website. Then, attackers can use the fake website to infect computers with malware or steal sensitive information from their victims. Once a major DNS server has been compromised, cybercriminals can deceive a much wider audience.

Pharming vs Phishing

Pharming is similar to phishing. In fact, it can even be considered a form of phishing, but the main difference is that, in the case of pharming, there’s no ‘lure’ involved, which is also why pharming is often known as ‘phishing without a lure’.

Phishing is a malicious practice based on deception that is used to steal sensitive information (credit card details, usernames, passwords, etc.) from victims. The attackers pose as a trustworthy entity (often by imitating the look and feel of a well-known brand) to deceive the victims into disclosing sensitive information.

It usually relies on some form of lure: an email, a text message, or other forms of direct messaging, that contains a hyperlink that once clicked, can lead to a data breach. Email phishing is by far the most common type of phishing, but hackers use other mediums too to perform attacks such as spear phishing, vishing, smishing, angler phishing, watering hole phishing, or CEO fraud.

Pharming, on the other hand, is a more targeted attack, that doesn’t need an enticement element – aka ‘the lure’, and is performed usually in two stages: at first, the hackers begin by installing malicious code on your computer or server, then that code directs you to a bogus website where you can be tricked into providing sensitive information. Pharming does not require that ‘initial click’ to redirect you to the spoofed website, you are automatically redirected there, straight into the lion’s mouth – where you might be deceived into giving up your personal data.

Why Is Pharming So Dangerous?

One of the main reasons why pharming is so dangerous is that it can be difficult to detect. Attackers will often use well-known vulnerabilities in software to gain access to corporate networks and databases. Once inside, they will look for sensitive information, such as customer lists and trade secrets, and then attempt to sell it on the dark web.

Another reason why pharming is risky is that attackers can use this method to launch broader cyberattacks. By gaining access to a company’s systems, they can steal information or launch a ransomware attack that locks down a victim’s website until the ransom is paid.

Pharming attacks are particularly dangerous because they require minimal effort from their targets. In circumstances of DNS server poisoning, the affected user’s PC can be fully malware-free and still become a victim. Even safeguards like manually inputting the website address or using trusted bookmarks are insufficient since the misdirection occurs after the computer initiates a connection request.

How to Stay Safe Against Pharming

The good news is that with the right security measures, you can prevent pharming attacks from happening in the first place. Here are a few steps that you can take to stay safe against a pharming attack:

1. Make sure your systems are up-to-date with the latest security patches. Pharming attacks rely on known vulnerabilities in software, so installing updated security patches will help protect your company’s IT infrastructure from attacks. You can always try our patch management solution Heimdal® Patch & Asset Management which works with both Microsoft Windows and third-party software, to automatically install the latest security patches and to deploy, patch and manage your software inventory.
2. Avoid clicking on links that start with ‘HTTP’ — stick to the ones with ‘HTTPS‘ instead. The presence of the “s” denotes that the site in question is protected by a trusted security certificate.
3. Don’t visit links or download attachments from people you don’t know. You can protect yourself from pharming by avoiding the malicious software that makes it possible. If you have doubts about them, don’t open attachments or click on links received via email that look suspicious.
4. Double-check URLs for typos. To trick users, pharmers will sometimes alter the spelling of domain names by adding or removing letters. Examine the URL carefully, and if you notice a typo, don’t go there.
5. Keep your passwords strong. If you have to enter your password often, choose a long, complex password that is different from any other passwords you use on your computer. And make sure you never type your password into any email or website where you would not want someone else to see it!
6. Wherever possible, set up two-factor authentication (2FA). This will provide an additional layer of security in addition to passwords. Cybercriminals would have to be much closer to you to obtain the second authentication factor. This significantly decreases their chances of success.
7. Don’t share personal information. It’s important not to share personal information, such as your social security number or date of birth, with anyone you don’t know well. This information can be easily stolen if it falls into the wrong hands.
8. Consider using a security program that monitors malware such as an antivirus solution. When a threat is detected, this type of tool prevents the infected file from executing, preventing hackers from delivering their payload into your organization’s network. You can try our Next-Gen Endpoint Antivirus, which spots otherwise undetectable malware among other online threats such as ransomware, hidden backdoors, rootkits, and brute-force attacks.

Automate your patch management routine.

Heimdal® Patch & Asset Management Software

Remotely and automatically install Windows, Linux and 3rd party application updates and manage your software inventory.

• Schedule updates at your convenience;
• See any software assets in inventory;
• Global deployment and LAN P2P;
• And much more than we can fit in here...

Try it for FREE today 30-day Free Trial. Offer valid only for companies.

How Can Heimdal® Help?

Apart from the two products mentioned above: Patch & Asset Management and Next-Gen Endpoint Antivirus, because pharming’s second step of the attack is DNS poisoning, to strengthen your defense, your business would benefit from implementing a DNS filtering solution.

With cutting-edge machine learning technology and a robust DNS filtering module that can predict threats with a 96% success rate, Threat Prevention – Endpoint is the ideal solution to protect your endpoints from DNS attacks. Heimdal® Threat Prevention can stop users from communicating with malicious networks and restrict access to compromised domains by monitoring user traffic in real-time.

And if you want to protect your company’s network from advanced persistent threats (ATPs), ransomware, data leaks, and network malware, Heimdal® Threat Prevention Network can help you achieve that. It blocks connections to C&C servers, logs network traffic, verifies user identities, and keeps tabs on the evolution of previously unknown threats.

Antivirus is no longer enough to keep an organization’s systems secure.

Heimdal® DNS Security Solution

Is our next gen proactive DNS-Layer security that stops unknown threats before they reach your endpoints.

• Machine learning powered scans for all incoming online traffic;
• Stops data breaches before sensitive info can be exposed to the outside;
• Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
• Protection against data leakage, APTs, ransomware and exploits;

Try it for FREE today 30-day Free Trial. Offer valid only for companies.

Wrapping Up

FBI’s Internet Crime Report from 2021 places pharming, together with phishing, vishing, and smishing in the first place by victim count with over 80,000 victims more than the previous year (323,972 victims in 2021 compared to 241,342 in 2020) and a loss of $44,213,707 reported in 2021. Since the numbers show that pharming is part of a real threat with an ascending trend, it’s important to take the time to implement security measures and choose the best tools on the market to help you achieve a strong cyber defense.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.

Newsletter

If you liked this post, you will enjoy our newsletter.

Get cybersecurity updates you'll actually want to read directly in your inbox.

I agree to have the submitted data processed by Heimdal Security according to the Privacy Policy

Madalina Popovici

Digital PR Specialist

Madalina, a seasoned digital content creator at Heimdal®, blends her passion for cybersecurity with an 8-year background in PR & CSR consultancy. Skilled in making complex cyber topics accessible, she bridges the gap between cyber experts and the wider audience with finesse.