Pharming: A Form of Phishing Attack Exploiting Servers

threatcop
9 min readOct 28, 2022

Security is a vital facet that an organization must address swiftly. Besides your organization’s physical safety, it is crucial to be alert regarding cybersecurity. With the rising number of cyber attacks, you can never know when your organization will be the next target.

According to Forbes, cyber attacks in 2021 increased by 15.1% in comparison to 2020. Amidst different types of cyber attacks, pharming attacks are one of the leading methods employed by threat actors.

Almost 43% of organizations do not employ cybersecurity practices on their servers. 62% still don’t deploy auto-remediation owing to their oblivious knowledge of the attacks that happen by corrupting DNS servers, known as pharming.

In 2021, pharming attacks incurred financial damage of over $50 millions to organizations.

Definition of Pharming

What is Pharming?

Pharming is a type of phishing attack that exploits an organization’s reputation or steals their private data. Cybercriminals design malicious codes and install them on personal systems or servers. They get access to the target’s system or network and misdirect you to a dangerous website, hijack your URL, and become the reason behind your loyal customers’ distrust.

Read more about Phishing and Pharming.

Examples of Pharming Attack

Pharming is a widespread scam. There have been several pharming attacks that have made headlines due to their severity. Some examples of them are

  • More than 50 financial institutions became victims of pharming in 2007 through an exploited Microsoft vulnerability. It includes millions of people from the US, Europe, and the Asia-Pacific region. Attackers downloaded the customer’s credentials who earlier visited the targeted institutions and later redirected them to the original website.
  • Many Brazilian internet users were exploited by hackers using a flaw in home routers in 2015. Hackers accessed the administrator console and changed the DNS setting to a malicious server.
  • During the ongoing humanitarian crisis in Venezuela in 2019, hackers created a fraudulent website for volunteers to register and offer aid. It had the same IP address, causing the information to go through the fake website regardless of whether an individual used the genuine site.

Types of Pharming

DNS pharming

A DNS server is used to direct users to the requested websites. However, a corrupted DNS server will route requests for websites to fake or alternate IP addresses. By poisoning DNS tables, attackers redirect users to fraudulent websites, often without their knowledge.

DNS pharming does not target a single file or folder. It exploits vulnerabilities by poisoning the entire DNS server. If the attacker manages to get hold of your organization’s server, then they can access all the files and network of the organization.

Malware-Based pharming

Malware-based pharming works more disparately than DNS server attacks. Instead of using the entire server, hackers attempt to break into one system. They create covert malware to guide the target to a fake website.

The attacker crafts a malicious code and sends it as an email. When your employees open the email, the code releases a trojan on the system to alter the local host files. These corrupted files guide you to fraudulent websites whenever you enter an internet address.

Difference Between Phishing and Pharming

Pharming and phishing are the two most common cyber attacks in the present day. The pharming is a special type of phishing attack, where the attack takes two steps. The first step is exploitation and second is phishing. However, they vary from one another in many ways. For instance,

Phishing

  • Attackers send emails with links and attachments to execute their plans.
  • The attacker targets one or multiple people.
  • The attacker sends an attachment or link to the high-level officials in an organization.
  • Users themselves activate the code or fulfill the attacker’s objective by engaging with the malicious email.
  • It is easier to detect and prevent.

Pharming

  • Attackers corrupt the host files or the entire server without the user’s knowledge.
  • Pharmers usually target a large organization or several people at once.
  • Pharmers covertly install malicious code or malware on a company’s system.
  • It changes the IP addresses and misdirects users to a fake website without requiring any action from them.
  • It is hard to identify and more malicious than phishing.

Overall, it would not be wrong to conclude pharming is a form of phishing attack, one that is a little more challenging to dodge.

What Losses Does the Organization Suffer from Pharming?

Pharming attacks can leave you vulnerable and exposed to many severe implications. Some of the typical losses you may have to endure are

  • Disruptions in the organization’s activities
  • Revenue loss and financial damage
  • Decline in market value relating to your reputation
  • Stolen intellectual property or sensitive and private information

How Does Pharming Work?

Pharming is a two-form process to access the mechanics that allow millions of people to surf the internet. There are two ways that cybercriminals use this attack:

  1. In malware-based pharming, the malware enters the system and modifies your local host files. As a result, the domain name of a specific website makes a false path to a malicious website in place of the genuine one. Moreover, many Trojans and malware block access to antivirus solutions, restraining you from installing software to eliminate the DNS server-changing viruses.
  2. DNS poisoning attacks prey on a large audience. It uses the DNS to direct users to a fraudulent website instead of the genuine one. The DNS server provides IP addresses to domain names. For instance, Google’s domain name is “google.com” with an IP address “187.128.30.49.” Pharmers tamper with the DNS server and change the IP address of websites. They lead the users to a corrupt site to gain their information. Pharmers usually target organizations that operate and maintain the DNS servers that translate domain names into IP addresses.
Pharming Attack
Sourced from Norton Security

How to Identify Pharming?

It is tough to detect a pharming attack, but not impossible. By remaining attentive when browsing the internet, there are subtle ways to identify bogus sites. Some early signs of an attack are:

  • Track your Financial Activities: An unusual financial transaction, such as credit card payments or bank transfers, that you did not perform.
  • Beware of Unidentified Email: Have you received an email from an unknown company, brand, or individual? It is better to leave it as it is, without engaging with them, as it could be from attackers looking for ways to access your system.
  • Pay Heed to URLs: Infected sites use similar URLs to widely-known and used websites to lure unsuspecting users. Check the URL carefully before giving any details on the website.
  • Unusual Activity on Social Media: Unfamiliar or unrecognized activity on your social media account can be a pharming attack.
  • Subtle Changes on a Website: A minimal change in letters and numbers often does not attract attention or suspicion. If you come across a website with minor alterations in color, logo, or typos, do not use it.
  • Unfamiliar Applications: If you spot a new application or program you did not download, it entails a hacker has accessed your system.
  • Unauthorized Password Changes: Random password changes imply that someone has hacked your system. When attackers get access to the system, they may change passwords to hinder you from logging in.

How Can Organizations Prevent Pharming?

Update the Servers Regularly

The DNS server is the most vulnerable component as attackers use it to branch out to other systems. You can only install a cybersecurity application to prevent malware-based pharming and malicious sites from corrupting the DNS. However, if your DNS server is outdated and old, it is imperative to keep them up-to-date to steer clear of potential online attacks and risks. You can implement DMARC authentication tools like TDMARC from Threatcop to modify your domain’s reputation.

Use a Strong Password

If you want to protect your DNS server, consider changing the password and setting one that is easy to remember yet hard to guess. To keep your password safe, your first and foremost step should be to make sure the password is very strong, complex, and impossible to guess. You can use a passphrase, which is a string of words almost impossible to decode, even with password-cracking applications.

Examine the Linked Software

When you run a business, it is natural to use several software, web-based applications, etc., to carry out disparate processes. However, you must ensure that the software and applications are legitimate and credible. Moreover, stay careful when linking applications and software with your system. Most of the pharming attacks occur by intercepting the connecting routes. So, ensure the connection is secure before initiating any crucial process.

Pay attention to the URL

Several hackers rely on human errors to execute their algorithms. They do not mess with your entire DNS server; instead, they send links with small and unnoticeable typos. You must examine the URL of the website before engaging with it. URLs with “HTTPS” denote a reliable, certified, and secured site. However, to confuse and trap targets, hackers often use a similar URL but remove the letter “S” from it. If you are on a website with an address beginning with “HTTP” in place of “HTTPS,” you are at risk.

Educate employees

It does not have to be your company’s website, IT or security team to retrieve sensitive information or tamper with your data. Any employee with access to high-level data can fall prey to hackers and unintentionally open the door to the organization’s network. Do not only train and orient your IT team; educate every employee on how to protect the company’s network from potential threats and attacks.

You can employ cybersecurity awareness training for your employees, to eradicate the possibility of a security breach.

Vigilance and Awareness is Best Defense Against Pharming

Hackers are employing new strategies to implement a pharming attack, and it has become one of the most harmful and common cyber attacks. However, just because they have a few wins under their sleeves does not mean you are an easy target and should bow down to them. Implementing correct strategies with accuracy will do the trick just fine. If you are still hesitant or dubious, seek professional assistance to protect your business from scams. The prime notion of these help is to safeguard your organization integrity by strengthening defense at employee level.

Employees are an integral part of a business and largely contribute to its success. Exposing them to cybercrimes will prepare them for any real cyber attacks. Threatcop endeavors to make your organization’s workforce into a robust defense line against cyberattacks by providing you with their cutting-edge people-centric security solutions. Security tools like TSAT will help you to evaluate the level of vulnerability in your organization and the tool provides a comprehensive learning management system to improve cybersecurity awareness of your employees.

What can you expect from the above-mentioned security solution? Here are a few implicit services and features:

  • The best solution against pharming is to simulate dummy attacks on your employees to familiarize them with cybercrime.
  • Real-time cybersecurity risk updates of your organization
  • Training programs to make your employees resistant to pharming attacks.
  • Customizable dashboard that suits your requirements.

Frequently Asked Questions

What facilitates a pharming attack?

Malware and viruses facilitate a pharming attack. Hackers install malicious malware on the target’s system or open network to gain access.

How can I identify a pharming attack?

The easiest way to detect a pharming attack is by paying attention to the IP address of a website. Sites containing “http” in their address are bogus. Do not engage with websites comprising an unusual IP address. Moreover, if you encounter any unusual finance-related activity or unauthorized access to your social media accounts, it also entails an imminent pharming attack.

Are there different types of pharming?

Yes, there are two types of pharming: Malware-based pharming and DNS server poisoning or corruption.

Why is it called pharming?

Pharming is a mixture of two words: “phishing” and “farming.” It works similarly to phishing, an online scam where a user is directed to a bogus website to steal information.

--

--

threatcop

Threatcop is a cybersecurity company that provides security solutions to businesses to protect them against email-based attacks and social engineering attacks.