What is pharming and how to protect yourself
Sept. 12, 2019
Pharming is a form of online fraud involving malicious code and fraudulent websites. Cybercriminals install malicious code on your computer or server. The code automatically directs you to bogus websites without your knowledge or consent.
The goal is to get you to provide personal information, like payment card data or passwords, on the false websites. Cybercriminals could then use your personal information to commit financial fraud and identity theft.
How can you help protect yourself against pharming? Here’s some information and tips that can help.
What is pharming?
Pharming combines the words “phishing” and “farming.” This cybercrime is also known as “phishing without a lure.”
Phishing is an online fraud scheme where a cybercriminal hopes you’ll click on a compromised email link which takes you to a fake site where you then enter your access credentials — such as your username and password. If you do, the fraudster can then access the real site and steal your personal information there.
Pharming, on the other hand, is a two-step process. One, cybercriminals install malicious code on your computer or server. Two, the code sends you to a bogus website, where you may be tricked in providing personal information. Computer pharming doesn’t require that initial click to take you to a fraudulent website. Instead, you’re redirected there automatically. The fraudster has immediate access to any personal information you enter on the site.
How pharming works
Pharming exploits the mechanics of Internet browsing. To understand how pharming works, it’s important to understand how Domain Name System (DNS) servers work.
DNS servers translate domain names into IP addresses. While websites use domain names for their addresses, an IP address denotes their actual location. Your web browser then connects to the server with this IP address.
Once you visit a certain website, a DNS cache forms so you don’t have to visit the server each time you return to the site. Both the DNS cache and the DNS server can be corrupted by pharming. This can result in two types of pharming.
In this case, you may pick up a Trojan or virus via a malicious email or download. The malware then covertly reroutes you to a fake site created and controlled by fraudsters when you type in your intended website address.
In this form of pharming, malicious code sent in an email can change your computer’s local host files. These corrupted host files can then direct your computer to fraudulent sites regardless of the Internet address you type.
DNS server poisoning
Domain Name Systems are computers on the Internet that direct your website request to the right IP address. A rogue, corrupted DNS server, however, can direct network traffic to an alternate, fake IP address.
This pharming scam doesn’t rely on corrupting individual files, but rather occurs at the DNS server level by exploiting a vulnerability. The DNS table is essentially poisoned, so you’re being redirected to fraudulent websites without your knowledge.
If a large DNS server is corrupted, cybercriminals could target and scam an even larger group of victims.
How to protect yourself against pharming
A good place to start is to install and run reputable antivirus and anti-malware security software with browser monitoring to help detect malware threats and protect your devices against emerging threats. But keep in mind not all antivirus and spyware removal software can protect against pharming, so additional anti-pharming measures may be needed.
Here are some anti-pharming safeguards.
- Ensure you are using secure web connections (look for https in the web address)
- Be cautious when opening links or attachments that you weren’t expecting or that are from an unfamiliar sender
- Avoid suspicious websites
- Enable two-factor authentication on sites that offer it
- Use a reputable internet service provider, whenever possible
- Use a VPN service that has reputable DNS servers
- Change the default password on your consumer-grade routers and wireless access points
If you suspect you’re already a victim of pharming, you can try resetting your computer to reset your DNS entries.
Look for the signs of pharming
Here are two signals of pharming.
- An unsecure connection. If your site address says “http” instead of “https” in the address line, the website may be corrupted.
- A website that doesn’t seem right. If the site you’re on has spelling errors, unfamiliar font or colors, or otherwise just doesn’t seem legitimate, it may not be.
Examples of pharming
An example of a sophisticated pharming attack occurred in 2017, when more than 50 financial institutions found themselves to be the recipients of a pharming attack that exploited a Microsoft vulnerability, creating fraudulent websites that mimicked the bank sites targeted.
The victims — online customers in the United States, Europe and Asia-Pacific — were lured to a website with malicious code that then downloaded a Trojan along with five files from a Russian server.
When these customers visited the fake sites from their infected computers, their account login information was sent to the Russian servers. This pharming attacked infected approximately 3,000 PCs in a three-day period.
As these cyberattacks show, pharming could be a major threat for people using e-commerce and online banking websites.
That’s why it’s important to know about pharming and learn what you can do to help protect against it.
Try Norton 360 FREE 30-Day Trial* - Includes Norton Secure VPN
30 days of FREE* comprehensive antivirus, device security and online privacy with Norton Secure VPN.
Join today. Cancel anytime.
Editorial note: Our articles provide educational information for you. NortonLifeLock offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about cyber safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses.
Copyright © 2021 NortonLifeLock Inc. All rights reserved. NortonLifeLock, the NortonLifeLock Logo, the Checkmark Logo, Norton, LifeLock, and the LockMan Logo are trademarks or registered trademarks of NortonLifeLock Inc. or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Android, Google Chrome, Google Play and the Google Play logo are trademarks of Google, LLC. Mac, iPhone, iPad, Apple and the Apple logo are trademarks of Apple Inc., registered in the U.S. and other countries. App Store is a service mark of Apple Inc. Alexa and all related logos are trademarks of Amazon.com, Inc. or its affiliates. Microsoft and the Window logo are trademarks of Microsoft Corporation in the U.S. and other countries. The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License. Other names may be trademarks of their respective owners.