What Is Pharming and How to Protect Yourself
Pharming meaning and definition
Pharming, a portmanteau of the words "phishing" and "farming", is an online scam similar to phishing, where a website's traffic is manipulated, and confidential information is stolen. In essence, it is the criminal act of producing a fake website and then redirecting users to it.
What is pharming?
Pharming is a type of social engineering cyberattack in which criminals redirect internet users trying to reach a specific website to a different, fake site. These “spoofed” sites aim to capture a victim’s personally identifiable information (PII) and log-in credentials, such as passwords, social security numbers, account numbers, and so on, or else they attempt to install pharming malware on their computer. Pharmers often target websites in the financial sector, including banks, online payment platforms, or e-commerce sites, usually with identity theft as their ultimate objective.
How does pharming work?
Pharming exploits the foundation of how internet browsing works — namely, that the sequence of letters that form an internet address, such as www.google.com, have to be converted into an IP address by a DNS server for the connection to proceed.
Pharming attacks this process in one of two ways:
- First, a hacker may send malicious code in an email which installs a virus or Trojan on a user's computer. This malicious code changes the computer’s hosts file to direct traffic away from its intended target and toward a fake website instead. In this form of pharming – known as malware-based pharming – regardless of whether you type the correct internet address, the corrupted hosts file will take you to the fraudulent site instead.
- Second, the hacker may use a technique called DNS poisoning. DNS stands for “Domain Name System” – pharmers can modify the DNS table in a server, causing multiple users to visit fake websites instead of legitimate ones inadvertently. Pharmers can use the fake websites to install viruses or Trojans on the user's computer or attempt to collect personal and financial information for use in identity theft.
While DNS servers are harder to attack because they sit on an organization’s network and behind its defenses, DNS poisoning can affect a significant number of victims and therefore offer great rewards for cybercriminals. Poisoning can also spread to other DNS servers. Any internet service provider (ISP) receiving information from a poisoned server can lead to the corrupted DNS entry being cached on the ISP’s servers – spreading it to more routers and devices.
What makes pharming attacks such a dangerous form of online fraud is that they require minimal action from the victim. In cases of DNS server poisoning, the affected user can have a completely malware-free computer and yet still become a victim. Even taking precautions such as manually entering the website address or always using trusted bookmarks is not sufficient, because the misdirection happens after the computer sends a connection request.
Once pharmers have obtained your personal information, they either use it themselves for fraudulent purposes or sell it to other criminals on the dark web.
Phishing vs Pharming - What is the main difference between phishing and pharming?
Phishing and pharming scams are similar but not exactly the same.
Phishing is a fraudulent practice where cybercriminals send you emails that appear to come from reputable organizations. The emails contain malicious links which take you to a fake website where unsuspecting users enter personal information – such as their username and password. Once you have submitted this information, fraudsters can use it for criminal purposes.
Pharming is a form of phishing but without the enticement element involved. Pharming involves two stages: Firstly, the hackers install malicious code on your computer or server. Secondly, the code sends you to a fake website, where you may be deceived into providing personal information. Computer pharming doesn’t require that initial click to take you to a fraudulent website. Instead, you are redirected there automatically – where the pharmers then have access to any personal information you divulge.
Phishing uses deceptive email, social media, or text messages asking you for your financial information, while pharming requires no lure. For this reason, pharming has been described as "phishing without a lure." Pharming is considered more dangerous than phishing since it can affect a significant number of computers without any conscious action from the victims. However, pharming attacks are less common than phishing because they require significantly more work from the attackers.
In 2019, a notable pharming attack took place in Venezuela. That year, Venezuela’s President made a public call asking for volunteers to join a new movement called “Voluntarios por Venezuela” (Volunteers for Venezuela). The purpose of this movement was to connect volunteers with international organizations providing humanitarian aid to the country. Volunteers were invited to sign up via a website that asked for their full name, personal ID, phone number, location, and other personal details.
Within a week of the original website going live, a second website appeared. This was almost identical, with a similar domain name and structure. However, it was a fake. Within Venezuela, both the real and counterfeit websites resolved to the same IP address, which belonged to the fake domain owner. This meant that regardless of whether a user opened the real or fake website, ultimately, their data would end up at the fake one. (Outside the country, they resolved to a different IP address.)
In 2015, in Brazil, attackers sent phishing emails to users of UTStarcom or TR-Link home routers purporting to be from Brazil’s largest telecom company. Links in the emails downloaded pharming malware designed to exploit router vulnerabilities and allow attackers to change the router’s DNS server settings.
Though not recent, one of the most significant recorded and most famous pharming attacks occurred in 2007, when over 50 financial companies across the US, Europe, and Asia were targeted. Hackers created an imitation web page for each targeted financial company, each containing malicious code. The websites forced consumers’ computers to download a Trojan. Subsequent log-in information from any of the targeted financial companies was collected. The total number of victims is unknown, but the attack took place over three days.
Signs of pharming - How to tell if you’re a victim of pharming
Signs that you have been a victim of pharming include:
- PayPal or credit or debit card charges that you do not recognize
- Posts or messages on your social media that you did not post
- Friend or connection requests from your social media that you did not send
- Changed passwords in any of your online accounts
- New programs appearing on your device which you did not download or install
If you think you have already fallen victim to pharming malware or a pharming attack:
- Clear your DNS cache
- Run your antivirus program to remove and malware make sure your device is secure
- Contact your ISP if you believe your server has been compromised
- Change the password for all your online accounts
- Follow the fraud reporting procedures for your online banking, email, and social media platforms as applicable
How to protect yourself against pharming
- Choose a reputable internet service provider (ISP). A good ISP will filter out suspicious redirects by default – ensuring you never reach a pharming website in the first place.
- Use a reliable DNS server. For most of us, our DNS server will be our ISP. However, it is possible to switch to a specialized DNS service, which could offer more security against DNS poisoning.
- Only follow links that begin with HTTPS – as opposed to just HTTP. The “s” stands for “secure” and indicates that the site has a valid security certificate. Once on the site, check for the padlock icon in the address bar – another indicator that the site is secure.
- Don’t click on links or open attachments from unknown senders. While you can't protect yourself from DNS poisoning, you can take care to avoid the malicious software that enables pharming. Avoid clicking on links or opening attachments in any email or message you are unsure of.
- Check URLs for typos. Pharmers sometimes use spelling tricks to deceive visitors, by replacing or adding letters to domain names. Look at the URL closely and if you spot a typo – avoid it.
- Avoid deals that appear too good to be true. Online scammers sometimes lure victims with eye-catching deals – for example, discounts much lower than the legitimate competition. If offers seem implausible, then exercise caution.
- Enable two-factor authentication where possible. Many platforms offer two-factor authentication, and when this is available, it's a good idea to turn it on. This makes your accounts harder to hack into – even if fraudsters have obtained your log-in details through pharming, they won’t be able to access your account.
- Change the default settings of your Wi-Fi router. Changing the standard password and using a strong password instead for your private network will help to protect you from DNS poisoning. It is also essential to keep your router up to date. If your router doesn't have automatic updates, consider replacing it with one that does.
- Use a robust anti-malware and antivirus solution and keep it up to date. For example, Kaspersky Total Security protects you against hackers, viruses, and malware and works 24/7 to secure your devices and data.
The best way to protect yourself from cybercrimes such as pharming and phishing is through a combination of antivirus protection and following the latest cybersecurity best practices.