What Is Pharming? How DNS Spoofing and Malware Sends Users To Fake Websites
Pharming is when a legitimate website’s traffic is redirected to a fake site for malicious purposes. This is usually done with malware or DNS spoofing.
These fake websites often look like legitimate websites and trick users into divulging sensitive information like login credentials.
Pharming is effective because users will not double-check the domain name of a website they just entered themselves.
How Does Pharming Work?
To understand how pharming works, you need to know how domain names and IP addresses operate. When you enter a domain name into a browser, the request is sent to a Domain Name System (DNS) server. The server matches the domain name to an IP address and then loads the corresponding website.
Pharming exploits the process between entering a domain name and the DNS server uploading the correct website. Criminals will install malicious code to redirect a request to a different and fraudulent website.
But how do criminals install their malicious code? There are two ways it can be done:
Malware-based pharming: A user unknowingly installs malware from a malicious email or accidental download. Once the computer is infected, the malware changes the local host files. When the user enters a domain name into their browser, the malware automatically redirects to a fraudulent website.
DNS spoofing: DNS spoofing is similar to malware-based pharming, but it happens on a wide scale. This tactic is usually aimed at companies that maintain servers. DNS spoofing involves modifying the DNS settings in a server to send potentially tens of thousands of people to a fake website instead of the legitimate website. In a pharming attack, criminals can install false information in the DNS cache which would direct the user to a spoofed website.
Pharming is particularly dangerous because users often don't need to do anything to become a victim. In the case of DNS spoofing, an individual can have a malware-free computer but accessing a corrupted server increases the risk of having personal information stolen.
What's the Difference Between Pharming and Phishing?
Pharming is a type of phishing attack. While pharming is a combination of the words "phishing" and "farming", it doesn't rely on emails or social engineering like traditional phishing does. In a typical phishing attack, criminals send emails with social engineering tactics to trick the recipient into sharing sensitive information or clicking a malicious link.
Phishing scams tend to be more popular with criminals since it's easier to execute. Criminals don't need technical knowledge and skills to successfully conduct email scams. Meanwhile, pharming is harder to carry out due to its technical nature, but it's also harder to detect.
Pharming requires more technical expertise since it involves installing code or spoofing a domain. Pharming is often referred to as "phishing without a lure.”
What Is an Example of Pharming?
One notable example of a successful pharming attack occurred in 2015 with the Malaysia Airlines website. When users entered "www.malaysiaairlines.com", they were not sent to the legitimate website. Instead, they were redirected to a hacker's web page featuring a claim the website was hacked.
Initially, Malaysia Airlines denied its web servers were hacked. In a way, this was true. The web servers were not infiltrated by criminals. But the DNS server (the server which connects a domain name to the web server) was attacked and the settings were changed to redirect web traffic to the hacker's web page instead of the actual website.
While the hacking group did this as a prank, it goes to demonstrate that the group could have redirected web traffic to a spoofed website and stolen personal information that way.
How to Protect From Pharming
There are many ways to protect yourself and your organization from pharming and phishing attempts. Some of these tactics include:
Create strong passwords to protect against local DNS spoofing.
Use a password manager since it won't auto-fill login credentials for a spoofed domain name.
Enable multi-factor authentication.
Keep anti-malware programs updated.
Upgrade to a DNS service with improved security protocols.
Avoid using public or free WiFi.
Implement a VPN.
Use an advanced email security solution to search for malicious emails.
Abnormal Security uses artificial intelligence and natural language processing to detect malicious emails, links, and attachments. Our advanced email security solution can also detect suspicious behavior in other email accounts and flag them as a potential account takeover.
Some of these red flags include:
Unusual IP addresses
Spoofed email display names
Suspicious links and attachments
Changes to mail filter rules
Ready to upgrade your email security and protect your organization from the latest email threats? Get a demo to see how Abnormal Security can protect your employees' inboxes.