Pharming, a portmanteau of the words "phishing" and "farming", is an online scam similar to phishing, where a website's traffic is manipulated, and confidential information is stolen. In essence, it is the criminal act of producing a fake website and then redirecting users to it.
Pharming is a type of social engineering cyberattack in which criminals redirect internet users trying to reach a specific website to a different, fake site. These “spoofed” sites aim to capture a victim’s personally identifiable information (PII) and log-in credentials, such as passwords, social security numbers, account numbers, and so on, or else they attempt to install pharming malware on their computer. Pharmers often target websites in the financial sector, including banks, online payment platforms, or e-commerce sites, usually with identity theft as their ultimate objective.
Pharming exploits the foundation of how internet browsing works — namely, that the sequence of letters that form an internet address, such as www.google.com, have to be converted into an IP address by a DNS server for the connection to proceed.
Pharming attacks this process in one of two ways:
While DNS servers are harder to attack because they sit on an organization’s network and behind its defenses, DNS poisoning can affect a significant number of victims and therefore offer great rewards for cybercriminals. Poisoning can also spread to other DNS servers. Any internet service provider (ISP) receiving information from a poisoned server can lead to the corrupted DNS entry being cached on the ISP’s servers – spreading it to more routers and devices.
What makes pharming attacks such a dangerous form of online fraud is that they require minimal action from the victim. In cases of DNS server poisoning, the affected user can have a completely malware-free computer and yet still become a victim. Even taking precautions such as manually entering the website address or always using trusted bookmarks is not sufficient, because the misdirection happens after the computer sends a connection request.
Once pharmers have obtained your personal information, they either use it themselves for fraudulent purposes or sell it to other criminals on the dark web.
Phishing and pharming scams are similar but not exactly the same.
Phishing is a fraudulent practice where cybercriminals send you emails that appear to come from reputable organizations. The emails contain malicious links which take you to a fake website where unsuspecting users enter personal information – such as their username and password. Once you have submitted this information, fraudsters can use it for criminal purposes.
Pharming is a form of phishing but without the enticement element involved. Pharming involves two stages: Firstly, the hackers install malicious code on your computer or server. Secondly, the code sends you to a fake website, where you may be deceived into providing personal information. Computer pharming doesn’t require that initial click to take you to a fraudulent website. Instead, you are redirected there automatically – where the pharmers then have access to any personal information you divulge.
Phishing uses deceptive email, social media, or text messages asking you for your financial information, while pharming requires no lure. For this reason, pharming has been described as "phishing without a lure." Pharming is considered more dangerous than phishing since it can affect a significant number of computers without any conscious action from the victims. However, pharming attacks are less common than phishing because they require significantly more work from the attackers.
In 2019, a notable pharming attack took place in Venezuela. That year, Venezuela’s President made a public call asking for volunteers to join a new movement called “Voluntarios por Venezuela” (Volunteers for Venezuela). The purpose of this movement was to connect volunteers with international organizations providing humanitarian aid to the country. Volunteers were invited to sign up via a website that asked for their full name, personal ID, phone number, location, and other personal details.
Within a week of the original website going live, a second website appeared. This was almost identical, with a similar domain name and structure. However, it was a fake. Within Venezuela, both the real and counterfeit websites resolved to the same IP address, which belonged to the fake domain owner. This meant that regardless of whether a user opened the real or fake website, ultimately, their data would end up at the fake one. (Outside the country, they resolved to a different IP address.)
In 2015, in Brazil, attackers sent phishing emails to users of UTStarcom or TR-Link home routers purporting to be from Brazil’s largest telecom company. Links in the emails downloaded pharming malware designed to exploit router vulnerabilities and allow attackers to change the router’s DNS server settings.
Though not recent, one of the most significant recorded and most famous pharming attacks occurred in 2007, when over 50 financial companies across the US, Europe, and Asia were targeted. Hackers created an imitation web page for each targeted financial company, each containing malicious code. The websites forced consumers’ computers to download a Trojan. Subsequent log-in information from any of the targeted financial companies was collected. The total number of victims is unknown, but the attack took place over three days.
Signs that you have been a victim of pharming include:
If you think you have already fallen victim to pharming malware or a pharming attack:
The best way to protect yourself from cybercrimes such as pharming and phishing is through a combination of antivirus protection and following the latest cybersecurity best practices.