WP What is Pharming | Types, Examples & Best Practices | Imperva

Pharming

20.9k views
Attack Types

What is a Pharming Attack?

Pharming is an attack technique that manipulates the Domain Name System (DNS) to redirect a user’s legitimate request to a fraudulent website without their knowledge.

This deceptive technique is based on compromising the DNS server or the user’s local host file, causing the DNS queries to resolve to the attacker’s IP address instead of the legitimate one. Since the DNS protocol’s semantics don’t strictly define handling such manipulations, different systems and browsers may respond to it differently.

Some systems may silently redirect the user to the fraudulent site, making the attack almost invisible to an untrained eye. The attacker abuses this behavior to steal sensitive information, such as login credentials or financial details, leading to serious consequences like identity theft or financial loss.

Pharming vs. Malvertising: Key Differences

Pharming and malvertising are both cyber threats but operate differently:

Pharming:

  • Nature: Redirects legitimate web requests to fraudulent sites by manipulating DNS.
  • Execution: Affects all users requesting a specific site, often without user interaction.
  • Impact: Can lead to widespread data theft and financial loss.

Malvertising:

  • Nature: Embeds malicious code within legitimate online ads to spread malware or redirect users.
  • Execution: Targets individual users through infected ads, requiring user interaction.
  • Impact: May cause individual system infections and compromised privacy.

In summary, while pharming alters DNS to redirect web requests, malvertising exploits online advertising to deliver malicious content. Both pose significant threats but differ in their methods and impact.

How Pharming Attacks Work: A Technical Insight

Pharming attacks are executed with precision, targeting the backend operations of the internet. Below is a step-by-step analysis of how these attacks work:

  1. DNS manipulation: The attacker compromises a DNS server or alters the user’s local host file. The change causes the DNS queries to resolve to the attacker’s IP address instead of the legitimate site.
  2. Redirected to a fraudulent site: When a user attempts to visit a legitimate website, the manipulated DNS instead directs them to a fake site that looks similar, even identical, to the legitimate one. This redirection happens seamlessly, without the user’s knowledge.
  3. Sensitive information is captured: The fraudulent site is designed to capture sensitive information such as usernames, passwords, and credit card details. Since the site looks legitimate, users enter their information without hesitation.
  4. Exploiting ambiguities in DNS handling: Since DNS handling is not uniformly defined across different systems, the attacker can exploit ambiguities to make the attack more effective and harder to detect.
  5. Bypassing security measures: Traditional security measures like web application firewalls and antivirus software may not detect pharming, as the attack occurs at the DNS level. This makes pharming an insidious, and complex, threat.

Pharming attacks showcase the importance of understanding the underlying mechanisms of the internet and the need for robust security measures at every level. Awareness, vigilance, and adherence to best practices are advised. 

Different Types of Pharming Attacks: A Classification

Pharming attacks can be broadly categorized into two main types, each with its unique characteristics and methods of execution. Understanding each type helps to devise effective countermeasures:

  1. DNS Server Pharming:
    • Description: This type of pharming attack targets the DNS servers themselves. Attackers exploit vulnerabilities in the DNS software to redirect legitimate website requests to fraudulent sites.
    • Impact: Since DNS servers handle requests for many internet users, compromising them can affect many users.
    • Countermeasures: Updating DNS software regularly, implementing DNSSEC (DNS Security Extensions), and monitoring unusual traffic patterns can help mitigate the risk.
  2. Local Host Pharming:
    • Description: Unlike DNS Server Pharming, Local Host Pharming targets individual computers. Attackers manipulate the local host file on a user’s computer to redirect specific website requests.
    • Impact: This type of attack is more targeted and impacts individual users or specific organizations.
    • Countermeasures: Effective antivirus software, regular system scans, and user education about suspicious email attachments and downloads can help prevent local host pharming.

Both types of pharming attacks aim to deceive users and capture sensitive information, but they differ in their approach and impact. Awareness of these distinctions is crucial for both individual users and organizations.

Examples of Pharming Attacks: Real-World Incidents

Below are some notorious, real-world  incidents that illustrate the gravity and diversity of pharming attacks:

  • Brazilian Bank Attack (2017):
    • Scenario: In a significant pharming attack, cybercriminals redirected all traffic from a major Brazilian bank’s website to a replica of the site hosted on their malicious servers.
    • Impact: Over the course of several hours, the attackers captured login details from the bank’s customers, leading to an unknown amount of financial loss.
    • Lesson: This incident emphasized the importance of multi-factor authentication and continuous monitoring of DNS records.
  • DNSChanger Malware (2007):
    • Scenario: The DNSChanger malware altered the DNS settings on infected computers, redirecting them to fraudulent websites and ads.
    • Impact: Millions of computers were infected worldwide, generating millions in ad revenue for the attackers.
    • Lesson: The widespread nature of this attack highlighted the need for robust endpoint security and user awareness.
  • RSPlug Trojan Attack on Mac Users (2007):
    • Scenario: The RSPlug Trojan targeted Mac users, altering the DNS settings on infected machines to redirect web requests to phishing sites.
    • Impact: Many Mac users were affected, leading to personal data theft and financial loss.
    • Lesson: This attack served as a reminder that no platform is immune to pharming and the importance of keeping systems updated.

These examples demonstrate the varied and evolving nature of the threat. They underscore the importance of a multi-layered approach to organizational security, including regular software updates, end-user education, and adherence to DNS security best practices.

What is Pharming Malware?

Pharming malware is a specific type of malicious software designed to redirect legitimate web requests to fraudulent sites by altering the DNS settings on a victim’s computer or network device. Here’s a detailed look at this deceptive cyber threat:

  • Functionality: Pharming malware changes the DNS server addresses to those controlled by the attacker, ensuring that web requests resolve to malicious sites. Internet users often unwittingly pick up malware, such as Trojan horses or viruses, through malicious email or software downloads.
  • Covert Redirection: The downloaded malware covertly reroutes the user to a fake or spoofed website created and managed by the attacker. When people access the site, the attacker sees all the personal data or login credentials they enter.
  • Corruption and Modification: In this pharming process, malicious code sent via email resides on a user’s computer, modifying and corrupting locally hosted files, as well as changing stored IP addresses. These corrupted files automatically direct a user’s computer to attackers’ fraudulent websites rather than the legitimate site they intend to visit.
  • Example: The notorious DNSChanger malware infected millions of computers, leading to significant personal data theft and financial loss.
  • Detection and Prevention: Pharming malware can be challenging to detect but can be prevented through robust antivirus software, secure DNS practices, and user education.
  • Ongoing Threat: Despite legal actions against creators, pharming malware continues to evolve, posing a persistent threat to internet users worldwide.

Understanding pharming malware’s mechanisms, impact, and prevention measures is essential for both individual users and organizations to navigate the digital landscape securely.

Phishing vs. Pharming: What’s the Difference?

Phishing and pharming are both malicious techniques aimed at tricking users into sharing sensitive data with a bad actor. However, each attack differs significantly in its approach and execution.

Phishing Attack

In a phishing attack, a threat actor crafts an email or message that appears to be from an official source with the hope that the recipient will click on a malicious link or attachment. The phishing email typically contains a link that the user must click, leading to a fraudulent site designed to capture sensitive information. Phishing often incorporates social engineering tactics to enhance the effectiveness of the attack, increasing the likelihood of successfully stealing money, data, or personal information from the intended victim.

Pharming Attack

A pharming attack doesn’t require an email message or direct user interaction. Instead, the malware runs as a background process on the computer, intercepting web requests and redirecting users to malicious websites. Once the malware executes, it persists on the computer, even after rebooting, continually monitoring user activity, showing popups, or hijacking browser settings. Only specialized malware removal tools can delete malicious files.

In summary, while phishing relies on deceiving the user through crafted emails and requires user interaction, pharming operates silently in the background, redirecting web requests without the user’s knowledge. Both pose significant threats but differ in their methods, making awareness and tailored prevention measures essential.

See how Imperva DDoS Protection can help you with pharming attacks.

Preventing Pharming Attacks: Essential Methods and Best Practices

Pharming attacks can have devastating consequences, but several effective methods exist to prevent them. Below is a comprehensive guide to safeguarding data from this complex threat:

  1. Secure DNS Practices:
    • Use DNSSEC: Implementing DNS Security Extensions (DNSSEC) adds an extra layer of authentication to DNS responses, making it harder for attackers to manipulate.
    • Monitor DNS records: Regularly monitoring DNS records for unauthorized changes can help detect pharming attempts.
  2. Robust Antivirus and Firewall Protection:
    • Keep software updated: Ensuring that antivirus and firewall software are up to date provides protection against known vulnerabilities that pharming malware may exploit.
    • Use malware removal tools: Specialized tools can detect and remove pharming malware that may have infected a system.
  3. Educate Users and Employees:
    • Awareness training: Educating users and employees about the risks of pharming and how to recognize potential threats can significantly reduce the risk of a successful attack.
    • Promote safe browsing habits: Encourage the use of HTTPS and verify website certificates to ensure a secure connection.
  4. Secure Network Devices:
    • Change default passwords: Many pharming attacks target routers with weak default passwords. Changing these to strong, unique passwords can prevent unauthorized access.
    • Regularly update firmware: Keeping router firmware updated closes security gaps that attackers might exploit.
  5. Implement multi-factor authentication (MFA):
    • Enhanced Security: MFA adds an additional layer of security, making it more difficult for attackers to gain access even if they have captured login credentials.

By adopting these methods and maintaining a proactive approach to cybersecurity, individuals and organizations can significantly reduce the risk of falling victim to pharming attacks. Continuous vigilance, regular updates, and a strong security culture are key to staying one step ahead of this threat.