Pharming
Pharming
Pharming is a type of cyberattack that redirects a website’s traffic to a malicious site that appears to be the real site. Pharming is used frequently in phishing attacks to trick a victim into sharing login credentials, banking information, or other sensitive data with the attacker.
In previous blogs, Between The Hacks has explained how attackers leverage doppelgänger (a.k.a. evil twin) domains to trick victims by using a visually similar domain name. In one example, Shark Tank TV celebrity, Barbara Corcoran was almost scammed out of $400,000 using this method in a Business Email Compromise (BEC) scam when an attacker sent an email from an email address using @barbaracorcran.com instead of the real, @barbaracorcoran.com address. While pharming is similar to a doppelgänger domain attack, it is actually more effective but much more difficult to execute. It is more effective, because when the victim visits the malicious website, he or she can see the valid domain name in their browser. It’s much more difficult to execute because the attacker must trick the victim’s computer into going to the malicious website by either making changes to the victim’s computer or somehow changing the destination IP address for a domain name by altering or “poisoning” the victim’s DNS lookup.
How Does A Pharming Attack Work?
To understand pharming, one must know a little bit about how your computer finds websites on the Internet.
When you enter a website address into your browser, such as www.google.com, your computer has to look up the IP address of that site because the Internet infrastructure needs to route traffic to IP addresses since it does not understand an address like www.google.com. We make those domain name addresses so our human minds will remember them more easily.
If you want to know the IP address (or IP addresses) of any website on the Internet, you can use the nslookup command on Windows, MacOS, and Linux. One of the IP addresses for www.google.com is 172.217.11.228. If you type that IP address in your browser, you will get to the Google website.
When you enter an address into your browser, your computer first checks for an IP address in a file on your computer called the hosts file. If it sees an entry in the hosts file for that website, it will go to that IP address. This file is editable by the owner of the computer and is a useful tool if you want to name devices on your network. If you want to try editing your hosts file, here are some instructions.
If your computer does not find an entry for that address in the hosts file, your browser will ask you computer’s default DNS server to look up the IP address of that website. There are DNS servers all over the Internet and unless you specifically changed your DNS servers, you are probably using servers from your Internet Service Provider (ISP). Once the DNS server comes back with an IP address, your browser can make the request to go to 172.217.11.228 and almost instantly, you will see the Google web page. So essentially, a pharming attack happens when an attacker is able to send the wrong IP address to the victim’s computer when it does a lookup.
Now that you know a little bit about how your computer looks up IP addresses, you can see how powerful it could be for an attacker to redirect traffic destined for a valid website, to a malicious website. Unlike the doppelgänger domain attack, with pharming, the victim will see the valid address in their browser when they visit the malicious website.
Examples
Looking for visual examples of pharming is difficult because shown side-by-side, many real sites and malicious sites will look exactly the same. However, Norton shared a short list of pharming attack examples that I have added below.
What Can You Do?
Enable multi-factor authentication (MFA) wherever it is available. This way if you do get tricked into sharing your credentials, the attacker would not be able to log into your real account.
Look for https in the destination website. While this is not a fool-proof method, seeing a major site using http is a definite red flag these days.
Keep your router up to date. If your router doesn’t have automatic updates, consider replacing it with a new router that does update automatically
Change the DNS settings on your router and devices to an alternate, encrypted DNS. (e.g. Cloudflare's 1.1.1.1, IBM's 9.9.9.9, Google DNS)
Follow standard anti-phishing recommendations.