Pharming Introduction
A constantly evolving cybersecurity landscape means that security professionals must be vigilant to new threats and potential attacks, redefining concepts and terms as cybercriminals develop new techniques and tactics. Pharming, a neologism coined in the last two decades, is one such example of this approach to cybersecurity.
A portmanteau of “phishing” and “farming,” pharming's main goal is to defraud the user by directing them to spoofed websites designed to steal any inputted credentials or data. However, unlike phishing, the attacker requires no input from the user (such as clicking a link or responding to an email) to carry out the attack since pharming relies on installing malicious code directly onto a computer or server.
Here, we explore the topic in more depth, the types of pharming attacks currently known, and look at how to protect against pharming within your organization. Read on to learn more and discover why pharming is a serious threat to online security.
Pharming Definition
Pharming is a type of cyberattack that redirects a website's traffic to a fake or malicious website without the user's knowledge or consent. This can be done through various methods, including DNS cache poisoning, malware infection, or social engineering.
The goal of pharming is typically to steal sensitive information, such as login credentials or financial data, from unsuspecting users. It can also be used to spread malware or to launch further attacks on the targeted organization or individual.
How Does Pharming Work?
Perhaps the key point to grasp when trying to understand how pharming works is that a user can be directed to a malicious website even if the user types in the correct URL for the legitimate website. This is because pharming exploits internet browsers, targeting the process where internet addresses are converted into IP addresses by DNS servers.
This usually happens in one of two ways, either by exploiting vulnerabilities in DNS server software or by using malware (such as Trojan horses) to alter the host file on the user's computer that maps domain names to IP addresses. Ultimately, when the user attempts to access a legitimate website, they are redirected to a fake or malicious site instead.
However, today, pharming is also increasingly carried out through social engineering, email phishing, SMS phishing, or by creating a fraudulent website that looks like a legitimate one to trick users into divulging sensitive information.
Once a user's information is stolen, it can be used for identity theft or financial fraud and even sold to other cybercriminals on the dark web. For organizations, this can then lead to ransom demands or even expensive data breaches that damage both finances and reputation.
Types of Pharming Attacks and Examples
The main types of pharming rely on malware or DNS poising to insert code on computers or servers, automatically sending the user to a malicious website. Below, we look at each in more detail:
Pharming Malware
Pharming malware typically modifies the DNS settings on the victim's computer or router and, once successfully installed, redirects victims to fraudulent websites. In 2007, the DNSChanger malware successfully infiltrated millions of computers across the globe, spreading through social engineering practices, email attachments, and drive-by downloads.
DNSChanger was eventually shut down by the FBI and international law agencies by taking control of the DNS servers used by the attackers. The operation, known as Operation Ghost Click, then set up a clean DNS infrastructure to protect future victims.
DNS Poisoning
DNS poisoning, also known as DNS spoofing, is a type of cyberattack in which an attacker corrupts the Domain Name System (DNS) to redirect internet traffic from legitimate sites to malicious ones. This can be done by manipulating the DNS server or by intercepting DNS queries and providing false IP addresses in response. The goal of DNS poisoning is to steal sensitive information or to distribute malware. It can be mitigated using DNS security measures such as DNSSEC and DNS filtering.
An example of DNS poisoning would be an attacker intercepting or corrupting the DNS server used by a company. Once the DNS server is compromised, the attacker could change the IP address associated with the company's website to point to a server controlled by the attacker. When an employee of the company tries to access the website, they would be directed to the attacker's server instead of the legitimate one, providing the opportunity for cybercriminals to steal data and credentials.
Telltale Signs of Pharming
When looking for signs that you have been the victim of a pharming attack, it is important to remember that there may be similarities with other types of cyberattacks. Phishing vs. pharming, for example, display similarities and, in fact, can often be used together—using phishing techniques to install pharming malware, for instance.
That being said, there are some telltale signs that you may be experiencing a pharming attack, and ensuring everyone in your organization is aware of these is an important step in developing robust cybersecurity measures.
- You type in the correct URL for a website, but you are redirected to a different site.
- The website you are directed to looks different from the legitimate site and may contain spelling errors or other inconsistencies.
- You may receive pop-ups or error messages when trying to access the site.
- You may be prompted to enter personal information or login credentials on a site that is not the legitimate one.
- You may notice that your antivirus software or browser is blocked from accessing a legitimate website, indicating that it has been flagged as malicious.
- You may notice that the website's SSL certificate is invalid or expired, indicating that the website is not secure.
What to Do if You’ve Been Pharmed
Cybersecurity teams and individuals who suspect they may have been victims of a pharming attack can take steps to mitigate the issue and stop its spread to other computers and servers. These include:
- Run a full scan of your computer using your antivirus software. This will help to identify and remove any malware that may have been used to redirect your traffic to the fake site.
- Clear your browser's cache and cookies. This will remove any malicious code that may have been stored on your computer.
- Change your login credentials for any accounts that you accessed while on the fake site.
- Use a different device or network to access the site and make sure that it is the legitimate one before entering any personal information.
- Use a VPN service to encrypt your internet connection and protect your traffic from being intercepted.
- Report the phishing attack to the website owner and the relevant authorities, like the FBI's Internet Crime Complaint Center (IC3).
- Keep your software and system updated, and use anti-pharming software if possible.
How to Protect Yourself Against Pharming
To protect yourself from pharming attacks, it is important to use anti-virus and anti-malware software, to keep your software and operating system up to date, and to be wary of suspicious emails, links, or websites. It's also important to use a Virtual Private Network (VPN) to encrypt your internet connection and protect your data from hackers and cybercriminals.
It is also recommended to use two-factor authentication (2FA) whenever possible, as this can provide an additional layer of security to protect your accounts. In addition, regular updates from your cybersecurity team relating to issues surrounding social engineering can help employees avoid suspicious exchanges across social media platforms and email.
Conclusion: Pharming
Today, pharming attacks are a significant concern for cybersecurity teams, particularly for those in large organizations with many staff members. Regular security awareness training for all staff is a good place to start, ensuring everyone is on the same page and updated on the latest threats at all times.
For more information on how your organization can raise awareness and effectively deal with pharming attacks, as well as other cybersecurity events, contact Mimecast today or explore our blog for detailed insights into the cybersecurity landscape.
