Pharming, also known as "phishing without a lure," is a cyber attack that redirects website traffic from legitimate websites to fraudulent ones. This cyberattack is more difficult to identify, as the victim is not manipulated into anything.
Pharming is a cyberattack intended to redirect a website's traffic to a fake site and install a malicious program on the victim's computer to steal sensitive information such as login credentials, financial details, or personal information.
Pharming attacks can be more sophisticated and harder to detect compared to phishing attacks because they do not rely on tricking users into clicking on malicious links in emails or messages. Instead, users are directed to fake websites even when they enter the correct web address in their browser's address bar.
Pharming typically works through two main methods: DNS-based pharming and host file modification.
The FBI recently explained how phishing occurs, saying a business "might receive an email that appears to be from a legitimate business and is asking you to update or verify your personal information by replying to the email or visiting a website. The web address might look similar to one you've used before. The email may be convincing enough to get you to take the action requested." Clicking on the provided link redirects to a counterfeit webpage that appears almost identical to authentic ones. The fake website will ask for confidential details like login credentials, banking PINs, and credit card numbers. "These fake websites are used solely to steal your information."
DNS-based pharming
In DNS-based pharming, attackers compromise the Domain Name System (DNS) infrastructure, which is responsible for translating domain names (e.g., www.example.com) into IP addresses (e.g., 192.0.2.1) that computers use to locate servers on the internet.
Attackers may exploit vulnerabilities in DNS servers, routers, or the domain registration process to change the DNS records of legitimate websites. They modify the DNS entries to redirect users to malicious websites controlled by the attackers instead of the intended legitimate websites.
When users try to access a legitimate website by typing its domain name into their web browser, they are unknowingly directed to the attacker's fraudulent website, where their sensitive information may be harvested.
In 2019, Volunteers for Venezuela, a humanitarian aid campaign by Venezuelan politician Juan Guaidó, fell victim to a Pharming attack that used the DNS Manipulation approach. A few days after the launch of the volunteer registration website, a fake website mirroring the original account was created. The fraudulent website has a domain name and structure similar to the original website.
According to SecureList, who reported on the attack, "...the scariest part is that these two different domains with different owners are resolved within Venezuela to the same IP address, which belongs to the fake domain owner."
Regardless of whether a volunteer accessed a genuine or fraudulent domain, they ultimately provided their personal information to the fake website.
Host file modification
Another method of pharming involves modifying the host file on a victim's computer. The host file is a local file that maps IP addresses to domain names. By altering this file, attackers can redirect requests for legitimate websites to their own malicious servers.
Attackers may accomplish this by infecting the victim's computer with malware, such as a virus or Trojan horse, which modifies the host file without the user's knowledge.
When the victim attempts to access a legitimate website, their computer consults the altered host file and is directed to the attacker's fraudulent website instead.
Organizations are likely to fall victim to phishing scams as their employees, the last line of defense, may not be able to recognize a phishing email. CISA found that "8/10 organizations had at least one individual who fell victim to a phishing attempt by CISA Assessment teams."
The FBI's Internet Crime Complaint Center found phishing to be the most prevalent threat in the US. Their recent Internet Crime Report found that phishing, including vishing, SMiShing, and pharming, is the most prevalent threat in the US, with 323,972 victims in 2022.
In 2021, The Office for Civil Rights (OCR) settled a case that involved a phishing attack on Lafourche Medical Group, a Louisiana-based medical group, affecting about 35,000 patients.
Unauthorized access led to protected health information (PHI) being obtained from an email account. After investigating the incident, OCR discovered that Lafourche had violated HIPAA regulations by neglecting to conduct a risk analysis to recognize potential threats and vulnerabilities before the breach occurred. As part of their corrective action plan towards resolving this issue, Lafourche has agreed to pay $480,000 directly as compensation to OCR.
OCR Director Melanie Fontes Rainer said, "Phishing is the most common way that hackers gain access to health care systems to steal sensitive data and health information."
Phishing is a common tactic in cyberattacks, with about 42% of ransomware attacks involving phishing. Rainer continued, saying, "It is imperative that the health care industry be vigilant in protecting its systems and sensitive medical records, which includes regular training of staff and consistently monitoring and managing system risk to prevent these attacks. We all have a role to play in keeping our health care system safe and taking preventive steps against phishing attacks."
The settlement signals that the OCR will hold organizations accountable for preventable breaches, including fines for non-compliance with security measures.
Go deeper: OCR settles landmark phishing case that affected 35,000 patients
Pharming attacks can originate from various sources, and attackers may employ different techniques to carry out these malicious activities. Some common sources of pharming include:
See also: HIPAA Compliant Email: The Definitive Guide
Defending against pharming attacks requires a combination of technical measures, user education, and proactive security practices. Here are some strategies to help protect against pharming:
You can determine if a website is fake by examining its URL for misspellings or unusual variations and checking for HTTPS encryption. You can also assess the overall design, content quality, and presence of contact information for legitimacy.
Signs of a pharming attack include unexpected website redirects, warnings from security software, unusual DNS queries or responses, changes to DNS records, or requests for sensitive information through unsolicited emails or messages.
While DNSSEC enhances DNS security by providing authentication and data integrity for DNS responses, it cannot completely prevent all types of DNS-based attacks, including pharming. However, DNSSEC can significantly reduce the risk of DNS cache poisoning and other DNS-related exploits.
Related: What is DNSSEC?