Phishing Variations: Pharming

May 23, 2016 by


Related Phishing Variation Articles:

  1. Vishing
  2. SMiShing
  3. Spy-Phishing
  4. Pharming
  5. Watering Hole Attacks
  6. SPAM

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

Pharming is a cyber-attack that gets its name because of its resemblance to phishing (some would even classify it as a type of phishing). With phishing, victims receive an email that seems to have come from some type of authority figure. CEO phishing, for example, is very popular. Unfortunately, the person sending the email is a cyber-criminal hoping to trick the target into handing over sensitive information that can be used to steal money, financial records, and more.

With pharming, the setup is a bit more complex, but the social engineering that is used is essentially the same: Scam artists trick victims into thinking they’re visiting a familiar and/or authoritative website where they will be comfortable handing over their personal information.

However, the two are different enough that it’s worth covering pharming in detail. This is especially true, as pharming will most likely continue to grow as a common form of cybercrime and, yet, most people have never even heard of it—even if they are on alert about phishing.

How Does Pharming Work?

The attacker doesn’t merely make a website that looks like that of a trusted company. That would most likely have a low success rate, as it would also require not just a domain, but also a way of getting that URL in front of the victim without setting off any alarm bells.

Unlike most forms of phishing, then, pharming actually takes a great deal of technical acumen. As a result, it relies on a skill set that more resembles that of traditional hackers.

Pharming attacks are designed to take traffic meant for one website and reroute it to another. Of course, the scammer’s website will need to resemble the real deal, but they don’t need to worry about forcing the victim to manually type in a dubious domain name.

The genius—albeit a malicious form—of pharming attacks is how effortlessly they garner compliance from victims. There is such a smooth transition from the beginning to the end that it’s tough to know when it’s happening. Unlike phishing and vishing, there are far fewer opportunities for the perpetrator to tip off the target.

How Do Pharming Attacks Reroute the Traffic?

This is where the technical skill and hacking comes into play. There are two main ways an attacker will get you to their intended site.

The first is through altering host files on your computer. You could get an email, for example, that involves some code. As soon as you open the email, the code goes to work, altering local host files on your computer. These host files are important because they take the URL you type in and convert it to the numbers that get used to find the site you want.

Once the attack is done, typing in the correct URL for a site won’t matter. The corrupted host files will still direct your traffic to the malicious site. Even if you click on a bookmark for the site, the attack will be successful.

While there is some spyware removal software out there that can remove this type of corruption, many victims are left having to adjust their browsing habits.

The other main form of pharming is called DNS poisoning. With this version, the DNS (domain name system) table in a server is altered so that your traffic gets rerouted, as in the previous example.

DNS poisoning is a far more ominous type of attack, though, because it doesn’t touch anything on your computer. Your host files are just fine. Instead, by going after the DNS server, it can affect thousands or even millions of users at once as they make normal requests to surf the World Wide Web.

This means that no amount of spyware can fix the problem either, because it’s not on the victim’s computer at all. In fact, when a sweep of their system is done, even high-quality cyber-security software may come back and report a spotless system with no problems.

The Endgame of Pharming

As you can probably guess, the fraudulent website is set up to extract information from visitors. For example, it might pretend to be your bank’s site. When you go to access your account, you’ll put in your username and password. Maybe you’ll even answer a security question or two, which only serves to reassure you of your safety.

Sadly, you’ve just handed the keys to your account over to a cybercriminal who can now do whatever they like with it.

Sometimes, all the hacker wants is for you to arrive on their fake site. That will give them ample opportunity to put a Trojan horse or some other virus on your computer, from which they can create all types of problems for you.

In one infamous example back in 2007, the attackers targeted over 50 international banks. Users who wanted to visit these banks were seamlessly redirected to a fraudulent mockup of the site they desired. Little did they know that their computer had downloaded a Trojan horse that, in turn, downloaded five more malicious files.

Meanwhile, the site they had been directed to simply displayed an error message and recommended that the user take down their firewall and shut off any antivirus software they were using. You can probably guess how that ended for them.

Once a computer was infected, any time the user tried going back to their bank’s website, they landed on the fake page, where they would hand over login credentials. As soon as they did, the site would reroute them back to the one they had meant to visit in the first place, making the entire attack invisible.

Aside from banks, other popular websites to impersonate were those belonging to credit card companies, healthcare providers, phone companies, email services and basically anywhere else you’d use personal information.

In 2004, a teenager in Germany was able to redirect users from eBay to his mock site.

New Pharming Technique Attacks the Router

As proof that cyber-criminals are always evolving, last year, a new version of pharming showed up in Brazil. The perpetrators still focused on a DNS, but they did it through email and by going after the users’ routers.

The technique preyed on security flaws in home routers that gave the cybercriminal access to the administrative console. Once they were “inside,” the hackers simply changed the routers’ DNS settings.

Whereas the DNS servers of ISPs and businesses tend to be pretty well protected—and now you probably understand why—the same cannot generally be said for home routers. In the case of this Brazilian attack, the security breach doesn’t seem to have occurred because of lazy password setting, either, which makes it all the more alarming.

When the DNS is the target, it’s typically a network attack, too. The attacks that were happening in Brazil last year occurred through email. This worked as a combination of phishing and pharming.

Pharming Hits the Federal Reserve

You would think that the Federal Reserve would benefit from some of the top cyber-security measures in the entire world. The bank plays literally the biggest influence in our country’s economy and, it could be argued, that of others as well.

Yet, it also serve as a good example of what pharming attacks are capable of.

Just last year (2015), a pharming attack forced the St. Louis branch of the Federal Reserve to require a password reset from all of its users. While the name of the DNS provider that was compromised was never mentioned, it’s clear that this is how the pharming attack found success.

The branch noticed the problem on April 24, after people were consistently redirected from the bank’s site to fake pages. Victims could have had their login credentials stolen—hence the need to change passwords—and malware may have been downloaded to their computers or both.

While the parts of the site that were targeted for reproduction had to do with research, no details were given about what the login credentials would’ve given cyber-criminals access to, but it’s obviously a real point of concern if the Federal Reserve can’t even guard against this type of threat.

The Looming Threat of Pharming

There are far fewer pharming attacks every year than incidents of phishing, though it’s tough to count either type of attack, as many people don’t realize when they’re victimized and a lot more simply won’t report it.

Pharming, though, is still an extremely serious threat because it can affect far more people at the same time. While phishing got its name because of the wide net cast by perpetrators, victims generally happen one at a time until necessary information is gathered to violate thousands.

As you’ve probably gathered by now, though, successfully attacking a single DNS could immediately put millions of people at risk. If the attacker decides to make a bank or ecommerce website their primary site for subterfuge, it would then become extremely easy for them to steal a whole lot of money at once.

While we really started to see pharming become a problem in 2005, the attacks are still coming. We already touched on how they’re evolving, too, but you can be sure 2016 will most likely see some new version of this problem as well.

Steps You Can Take to Defend Against Pharming

Although this may all seem pretty grim, there are steps you can take to give yourself a fighting chance against pharming scams. You can rest assured that ISPs (internet service providers) are always working to filter out these types of sites, but it’s still on you to make further precautions a serious priority.

First, always use a trusted internet service provider. You should want one that understands how serious an issue pharming is and is constantly searching these sites in order to ban them.

Second, before you ever hand over any important information that could be used to steal your identity, check the URL of the site you’re on. Although we mentioned dubious URLs earlier, some cyber-criminals will use misspelled versions because, if they’re close enough, they generally won’t catch a victim’s eye. After all, once you’re on the site you want—or think you are, anyway—how often are you checking the URL to confirm?

Third, but along the same lines, whenever you’re being asked for personal information, check to confirm the URL begins with “https” instead of just “http.” The addition of the “s” to the former stands for “secure”, which is the setting you want when sensitive data is being transferred to another party online.


Fourth, you can check the certificate of a website to ensure it’s legitimate. How you do this will depend on the Internet browser you use. With Internet Explorer, for example, you go to “File” in the main menu and scroll down to “Properties.” You can also just right-click anywhere on the page and select it from that menu. This process should be fairly similar across browsers.

When the “Properties” box pops up, click “Certificates.” If the site is indeed legitimate, it will have an equally legitimate certificate from its actual owner to prove it.

You should already be using an antivirus program to protect your computer from viruses, hackers, worms, and Trojan horses. A personal firewall is important for this, as well. As we covered above, these efforts can’t stop DNS poisoning, but you should have them anyway, so you might as well select one that can guard against host file corruption on your computer.

Along the same lines, always download the newest security updates for the browser you use and your operating system. The same goes for patches. This will ensure that you always have the latest line of defense, especially as companies are working hard to combat something they see as a very serious problem.

Pharming isn’t going away any time soon and it’s a tough threat to deal with because, if the attackers go after the DNS you use, there’s little you can do. Still, follow the above tips to make safe web browsing a priority and you’ll be far less likely to end up on the receiving end of an attack.

Fortunately, when it comes to training, Infosec IQ has you covered. Sign up for an account and then go to “AwareEd.” In the “courses” section, you’ll find an article titled “Safe Browsing” that will show you the red flag to look for so you can avoid pharming scams.


Get six free posters

Get six free posters

Reinforce cybersecurity best practices with six eye-catching posters found in our free poster kit from our award-winning series, Work Bytes.