What is pharming and how to protect yourself
Pharming is a form of online fraud involving malicious code and fraudulent websites. Cybercriminals install malicious code on your computer or server. The code automatically directs you to bogus websites without your knowledge or consent.
The goal is to get you to provide personal information, like payment card data or passwords, on the false websites. Cybercriminals could then use your personal information to commit financial fraud and identity theft.
How can you help protect yourself against pharming? Here’s some information and tips that can help.
What is pharming?
Pharming combines the words “phishing” and “farming.” This cybercrime is also known as “phishing without a lure.”
Phishing is an online fraud scheme where a cybercriminal hopes you’ll click on a compromised email link which takes you to a fake site where you then enter your access credentials — such as your username and password. If you do, the fraudster can then access the real site and steal your personal information there.
Pharming, on the other hand, is a two-step process. One, cybercriminals install malicious code on your computer or server. Two, the code sends you to a bogus website, where you may be tricked in providing personal information. Computer pharming doesn’t require that initial click to take you to a fraudulent website. Instead, you’re redirected there automatically. The fraudster has immediate access to any personal information you enter on the site.
How pharming works
Pharming exploits the mechanics of Internet browsing. To understand how pharming works, it’s important to understand how Domain Name System (DNS) servers work.
DNS servers translate domain names into IP addresses. While websites use domain names for their addresses, an IP address denotes their actual location. Your web browser then connects to the server with this IP address.
Once you visit a certain website, a DNS cache forms so you don’t have to visit the server each time you return to the site. Both the DNS cache and the DNS server can be corrupted by pharming. This can result in two types of pharming.
In this case, you may pick up a Trojan or virus via a malicious email or download. The malware then covertly reroutes you to a fake site created and controlled by fraudsters when you type in your intended website address.
In this form of pharming, malicious code sent in an email can change your computer’s local host files. These corrupted host files can then direct your computer to fraudulent sites regardless of the Internet address you type.
DNS server poisoning
Domain Name Systems are computers on the Internet that direct your website request to the right IP address. A rogue, corrupted DNS server, however, can direct network traffic to an alternate, fake IP address.
This pharming scam doesn’t rely on corrupting individual files, but rather occurs at the DNS server level by exploiting a vulnerability. The DNS table is essentially poisoned, so you’re being redirected to fraudulent websites without your knowledge.
If a large DNS server is corrupted, cybercriminals could target and scam an even larger group of victims.
How to protect yourself against pharming
A good place to start is to install and run reputable antivirus and anti-malware security software with browser monitoring to help detect malware threats and protect your devices against emerging threats. But keep in mind not all antivirus and spyware removal software can protect against pharming, so additional anti-pharming measures may be needed.
Here are some anti-pharming safeguards.
- Ensure you are using secure web connections (look for https in the web address)
- Be cautious when opening links or attachments that you weren’t expecting or that are from an unfamiliar sender
- Avoid suspicious websites
- Enable two-factor authentication on sites that offer it
- Use a reputable internet service provider, whenever possible
- Use a VPN service that has reputable DNS servers
- Change the default password on your consumer-grade routers and wireless access points
If you suspect you’re already a victim of pharming, you can try resetting your computer to reset your DNS entries.
Look for the signs of pharming
Here are two signals of pharming.
- An unsecure connection. If your site address says “http” instead of “https” in the address line, the website may be corrupted.
- A website that doesn’t seem right. If the site you’re on has spelling errors, unfamiliar font or colors, or otherwise just doesn’t seem legitimate, it may not be.
Examples of pharming
A real-world example of pharming was reported by Symantec in 2008 with the first case of a “drive-by” pharming attack on a Mexican bank.
In this case, hackers changed the DNS settings on a customer’s unsecure, home-based broadband router via an email that appeared to be from a legitimate Spanish-language greeting card company.
The malicious code in the email changed the user’s router to redirect their web browser to the attacker’s fake, fraudulent bank site.
Another example of a more sophisticated pharming attack occurred in 2017, when more than 50 financial institutions found themselves to be the recipients of a pharming attack that exploited a Microsoft vulnerability, creating fraudulent websites that mimicked the bank sites targeted.
The victims — online customers in the United States, Europe and Asia-Pacific — were lured to a website with malicious code that then downloaded a Trojan along with five files from a Russian server.
When these customers visited the fake sites from their infected computers, their account login information was sent to the Russian servers. This pharming attacked infected approximately 3,000 PCs in a three-day period.
As these cyberattacks show, pharming could be a major threat for people using e-commerce and online banking websites.
That’s why it’s important to know about pharming and learn what you can do to help protect against it.
All-in-one protection. All for one low price.
Security for your devices, your online privacy, and your identity. NortonTM 360 with LifeLockTM
Editorial note: Our articles provide educational information for you. Norton LifeLock offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about cyber safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses.
Norton by Symantec is now Norton LifeLock. LifeLock™ identity theft protection is not available in all countries.
Copyright © 2019 Symantec Corporation. All rights reserved. Symantec, the Symantec logo, the Checkmark logo, Norton, Norton by Symantec, LifeLock and the LockMan logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Android, Google Chrome, Google Play and the Google Play logo are trademarks of Google, LLC. Mac, iPhone, iPad, Apple and the Apple logo are trademarks of Apple Inc., registered in the United States and other countries. App Store is a service mark of Apple Inc. Microsoft and the Windows logo are trademarks of Microsoft Corporation in the United States and/or other countries. The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution Licence. Other names may be trademarks of their respective owners.