What is pharming?
Pharming is a type of cyberattack involving the redirection of web traffic from a legitimate site to a fake site for the purpose of stealing usernames, passwords, financial data, and other personal information.
When you type a URL into your browser’s address bar, like www.google.com for example, several background processes have to happen before you see that familiar Google logo and search box on your computer screen. During a pharming attack, cybercriminals discreetly manipulate those processes, sending your web traffic to a malicious website instead of the one you intended to visit. The destination site may load malware on to your computer. More often than not, it’s a bogus phishing site. It’s the latter activity that lends pharming its name, a mashup of the words “phishing” and “farming.”
A typical phishing site is spoofed or faked to look like a site the victim routinely visits, often financial or e-commerce in nature. The goal with a phishing site is to harvest or farm usernames and passwords when the unsuspecting victim attempts to log in to their account.
Pharming is a sophisticated kind of phishing attack and it can affect anyone on any platform. Windows and Mac users as well as mobile users on Android and iOS should all be wary of potential pharming attacks. Fortunately, there are a few commonsense steps you can take to protect against pharming, so keep reading to learn everything you need to know about pharming.
How does pharming work?
To understand how pharming works we need to start with a brief primer on domain names and IP addresses. Domain names and IP addresses are to websites as your name and location are to old-fashioned snail mail.
If you address a letter to “Nancy Thompson,” for example, writing nothing on the stamped envelope other than her name, Nancy’s not going to get your letter. The post office needs both her name and her location; e.g. “Nancy Thompson, 1428 Elm Street, Springwood, Ohio,” to successfully deliver your letter.
Likewise, the IP address (short for Internet protocol address) functions as the underlying location for the domain name you want to contact. When you enter “www.facebook.com” in the address bar of your browser, your request is sent to a DNS server. The DNS server is a computer with one job: translate domain names into an IP address. For the most common type of Internet protocol, IPv4, this address will be four numbers separated by periods: “0.0.0.0”. In the case of Facebook, the IP address will look something like “220.127.116.11” though the actual numbers may vary, because big companies like Facebook own large blocks of IP addresses.
With IP address in hand, the DNS server communicates this information back to your computer and your computer points you to the website for Facebook. This DNS resolution process, from the moment you press the return key on the address bar to the time the webpage begins loading, usually happens in milliseconds.
Now, getting back to the subject of pharming, cybercriminals can manipulate this online address system in order to direct your request for “www.facebook.com” to another address controlled by the criminal. This can happen a couple different ways.
What are the types of pharming?
There are two types of pharming: pharming malware and DNS poisoning.
Pharming malware aka DNS changers/hijackers infect a victim’s computer and stealthily make changes to the victim’s hosts file. It helps to think of your computer’s hosts file as a Rolodex of websites. As mentioned, the process of sending a domain name to a DNS server and translating that domain name into an IP address usually happens so quickly most of us don’t even notice. “Usually” being the operative word here. To avoid any hang ups when loading a page, your computer stores domain name to IP address translations, cutting down the time it takes to load each website. With a malware-based pharming attack, the malware sneaks its way on to your computer (frequently via Trojan) then starts modifying your hosts file so that the domain name of a given website points to a malicious site. Some pharming malware, e.g., the Extenbro Trojan, will also block access to cybersecurity sites, preventing victims from downloading software to remove the DNS changer malware.
DNS poisoning aka DNS spoofing takes advantage of exploits in the software that controls DNS servers in order to hijack the servers and reroute web traffic. Typically, DNS poisoning goes after the companies that run and maintain the DNS servers that translate human-friendly domain names into computer ready IP addresses. As such, DNS poisoning has a much broader base of potential victims, numbering in the tens of thousands. That said, your home Internet router has a DNS cache that stores previous DNS lookups. Any device connected to your home network can refer to this cache when trying to connect to a website you or someone else on your network has visited before. Your router functions, after a fashion, as a small-scale DNS server and it too can be poisoned.
How to protect against pharming
Create a strong password for your home Internet. And definitely don’t use the default password written on the bottom of your router. This is how to protect your home network against local DNS poisoning. If you’re having trouble remembering your password, consider using a passphrase instead. A passphrase is a string of nonsense words that are easy for a human to remember, but nearly impossible to brute force using a password cracking application. Unlike a conventional long and strong password, there’s no uppercase/lowercase mixing or special symbols. For example, (please don’t use this as your passphrase) “pensivepurplecathighheelshoes” would make an excellent passphrase. All you have to do is imagine a purple cat wearing high heels with a pensive look on its face.
Use a password manager. Specifically, you need a password manager that offers to auto-fill username and password fields for you when it detects a login page you’ve visited before. A spoofed phishing site may pass for the real thing upon cursory inspection, but a password manger can’t be fooled so easily. If you land on a bad site, the password manager won’t recognize it and won’t offer to auto-complete your login credentials.
Use a good anti-malware program. Phishing isn’t a type of computer virus and traditional forms of antivirus can’t protect against it. Advanced anti-malware, on the other hand, can actively block malware attempting to hack your computer’s hosts file. Malwarebytes, for example, has programs for Windows, Mac, Chromebook, Android, and iOS that stop adware, spyware, and Trojans from messing around with your hosts file. Malwarebytes will also block suspicious websites you might land on as a result of a poisoned DNS.
Consider using a different DNS service. While consumers can use a cybersecurity program to block malware-based pharming and malicious websites from a poisoned DNS, they can’t really do anything to prevent DNS poisoning from happening in the first place. It’s up to the companies who offer the DNS services to keep their servers secure. For most people your default DNS service is the one offered by your Internet service provider (ISP), that’s probably fine, but there are other popular alternatives, namely Google DNS, OpenDNS, and Cloudflare. All three companies claim their DNS services offer improved security and privacy over a traditional DNS. OpenDNS also offers special servers specifically for families looking to block adult content.