What is pharming?

Pharming, also known as "phishing without a lure," is a cyber attack that redirects website traffic from legitimate websites to fraudulent ones. This cyberattack is more difficult to identify, as the victim is not manipulated into anything. 

Understanding pharming

Pharming is a cyberattack intended to redirect a website's traffic to a fake site and install a malicious program on the victim's computer to steal sensitive information such as login credentials, financial details, or personal information. 

Pharming attacks can be more sophisticated and harder to detect compared to phishing attacks because they do not rely on tricking users into clicking on malicious links in emails or messages. Instead, users are directed to fake websites even when they enter the correct web address in their browser's address bar.

Pharming typically works through two main methods: DNS-based pharming and host file modification.

The FBI recently explained how phishing occurs, saying a business "might receive an email that appears to be from a legitimate business and is asking you to update or verify your personal information by replying to the email or visiting a website. The web address might look similar to one you've used before. The email may be convincing enough to get you to take the action requested." Clicking on the provided link redirects to a counterfeit webpage that appears almost identical to authentic ones. The fake website will ask for confidential details like login credentials, banking PINs, and credit card numbers. "These fake websites are used solely to steal your information."

DNS-based pharming

In DNS-based pharming, attackers compromise the Domain Name System (DNS) infrastructure, which is responsible for translating domain names (e.g., www.example.com) into IP addresses (e.g., 192.0.2.1) that computers use to locate servers on the internet.

Attackers may exploit vulnerabilities in DNS servers, routers, or the domain registration process to change the DNS records of legitimate websites. They modify the DNS entries to redirect users to malicious websites controlled by the attackers instead of the intended legitimate websites.

When users try to access a legitimate website by typing its domain name into their web browser, they are unknowingly directed to the attacker's fraudulent website, where their sensitive information may be harvested.

In 2019, Volunteers for Venezuela, a humanitarian aid campaign by Venezuelan politician Juan Guaidó, fell victim to a Pharming attack that used the DNS Manipulation approach. A few days after the launch of the volunteer registration website, a fake website mirroring the original account was created. The fraudulent website has a domain name and structure similar to the original website.

According to SecureList, who reported on the attack, "...the scariest part is that these two different domains with different owners are resolved within Venezuela to the same IP address, which belongs to the fake domain owner." 

Regardless of whether a volunteer accessed a genuine or fraudulent domain, they ultimately provided their personal information to the fake website.

Host file modification

Another method of pharming involves modifying the host file on a victim's computer. The host file is a local file that maps IP addresses to domain names. By altering this file, attackers can redirect requests for legitimate websites to their own malicious servers.

Attackers may accomplish this by infecting the victim's computer with malware, such as a virus or Trojan horse, which modifies the host file without the user's knowledge.

When the victim attempts to access a legitimate website, their computer consults the altered host file and is directed to the attacker's fraudulent website instead.

Phishing statistics

Organizations are likely to fall victim to phishing scams as their employees, the last line of defense, may not be able to recognize a phishing email. CISA found that "8/10 organizations had at least one individual who fell victim to a phishing attempt by CISA Assessment teams." 

The FBI's Internet Crime Complaint Center found phishing to be the most prevalent threat in the US. Their recent Internet Crime Report found that phishing, including vishing, SMiShing, and pharming, is the most prevalent threat in the US, with 323,972 victims in 2022. 

In the news

In 2021, The Office for Civil Rights (OCR) settled a case that involved a phishing attack on Lafourche Medical Group, a Louisiana-based medical group, affecting about 35,000 patients. 

Unauthorized access led to protected health information (PHI) being obtained from an email account. After investigating the incident, OCR discovered that Lafourche had violated HIPAA regulations by neglecting to conduct a risk analysis to recognize potential threats and vulnerabilities before the breach occurred. As part of their corrective action plan towards resolving this issue, Lafourche has agreed to pay $480,000 directly as compensation to OCR.

OCR Director Melanie Fontes Rainer said, "Phishing is the most common way that hackers gain access to health care systems to steal sensitive data and health information." 

Phishing is a common tactic in cyberattacks, with about 42% of ransomware attacks involving phishing. Rainer continued, saying, "It is imperative that the health care industry be vigilant in protecting its systems and sensitive medical records, which includes regular training of staff and consistently monitoring and managing system risk to prevent these attacks. We all have a role to play in keeping our health care system safe and taking preventive steps against phishing attacks."

The settlement signals that the OCR will hold organizations accountable for preventable breaches, including fines for non-compliance with security measures.

Go deeper: OCR settles landmark phishing case that affected 35,000 patients

Common sources of pharming

Pharming attacks can originate from various sources, and attackers may employ different techniques to carry out these malicious activities. Some common sources of pharming include:

• Compromised DNS servers: Attackers may exploit vulnerabilities in DNS servers to manipulate DNS records, redirecting users to fraudulent websites instead of legitimate ones through techniques like DNS cache poisoning or DNS spoofing.
• Malicious software (malware): Malware, such as viruses, Trojans, or rootkits, may modify the host file or alter the DNS settings on the victim's system to redirect web traffic to malicious websites controlled by the attackers.
• Rogue Wi-Fi networks: Attackers can set up rogue Wi-Fi networks, often in public places like cafes, airports, or hotels, with names similar to legitimate networks. When users connect to these rogue networks, their internet traffic can be intercepted and redirected to malicious websites through DNS manipulation or other techniques.
• Compromised websites: Attackers may compromise legitimate websites by injecting malicious code. This code can perform various actions, including redirecting visitors to phishing or fraudulent websites without their knowledge.
• Domain hijacking: Attackers may hijack domain names by gaining unauthorized access to domain registrar accounts or exploiting weaknesses in the domain registration process. Once they control the domain, they can modify DNS records to redirect traffic to malicious websites.

See also: HIPAA Compliant Email: The Definitive Guide

Defending against pharming

Defending against pharming attacks requires a combination of technical measures, user education, and proactive security practices. Here are some strategies to help protect against pharming:

• Use secure DNS services: Choose a reputable and secure DNS service provider that offers features like DNSSEC (Domain Name System Security Extensions) to authenticate DNS responses and prevent DNS spoofing attacks.
• Implement DNS filtering: Use DNS filtering solutions to block access to known malicious websites and prevent users from accessing fraudulent domains associated with pharming attacks.
• Regularly update systems and software: Keep operating systems, web browsers, antivirus software, and other applications up to date with the latest security patches and updates to protect against known vulnerabilities that attackers could exploit.
• Monitor DNS traffic: Monitor DNS traffic for signs of suspicious activity, such as unusual DNS queries or responses, which could indicate a pharming attack in progress. Implement intrusion detection systems (IDS) or security information and event management (SIEM) solutions to detect and respond to anomalous DNS behavior.
• Use HTTPS: Encourage the use of Hypertext Transfer Protocol Secure (HTTPS) for all website communications to encrypt data in transit and protect against man-in-the-middle attacks, including those facilitated by pharming.
• Employ network segmentation: Segment networks to isolate critical systems and sensitive data from potentially compromised areas. Use firewalls, access controls, and network segmentation strategies to limit the impact of pharming attacks and prevent lateral movement by attackers.
• Educate users: Provide comprehensive cybersecurity awareness training to employees and users to help them recognize phishing emails, suspicious websites, and other social engineering tactics used in pharming attacks. Encourage users to verify website URLs, look for HTTPS indicators, and avoid clicking on links in unsolicited emails or messages.
• Implement multi-factor authentication (MFA): Require users to authenticate using multiple factors, such as passwords, biometrics, or one-time codes, to access sensitive systems and accounts. MFA can help mitigate the risk of credential theft and unauthorized access resulting from pharming attacks.
• Secure domain registrations: Use strong, unique passwords and enable two-factor authentication (2FA) for domain registrar accounts to prevent unauthorized access and domain hijacking attempts. Regularly review domain registration settings and DNS records for any unauthorized changes.
• Report suspicious activity: Encourage users to report any suspicious activity, such as unexpected website redirects or warnings from security software, to the IT security team for investigation and remediation.

FAQs

How can I tell a website is fake?

You can determine if a website is fake by examining its URL for misspellings or unusual variations and checking for HTTPS encryption. You can also assess the overall design, content quality, and presence of contact information for legitimacy. 

What are the signs of a pharming attack?

Signs of a pharming attack include unexpected website redirects, warnings from security software, unusual DNS queries or responses, changes to DNS records, or requests for sensitive information through unsolicited emails or messages.

Can DNSSEC completely prevent DNS-based pharming attacks?

While DNSSEC enhances DNS security by providing authentication and data integrity for DNS responses, it cannot completely prevent all types of DNS-based attacks, including pharming. However, DNSSEC can significantly reduce the risk of DNS cache poisoning and other DNS-related exploits.

Related: What is DNSSEC?