Security

What is pharming, and how can you protect yourself?

Jacob Fox

May 17, 20249 min read

What is pharming and how can you protect yourself? Header image

Pharming is a sophisticated phishing method that redirects a user to a malicious website after they enter a legitimate URL. It does this to trick the user into giving up their personal information or installing malware on their device.

Pharming is usually more difficult to spot than standard phishing attacks, making it imperative that you understand what pharming attacks are, how to spot them, and how to prevent them. Read on to learn everything you need to know.

What is pharming?

The term “pharming” comes from a blend of the words “phishing” and “farming.” Pharming is a kind of phishing attack, which is defined as the attempt to trick a user into handing over personal information, usually by getting the user to visit a website from an apparently legitimate link that, in reality, is a fake website set up by the attacker.

A pharming attack attempts to trick you into visiting a fake website and entering your personal information or downloading malware. However, unlike most phishing attacks, it doesn’t require you to click on a link to do so. Instead, you enter the URL for a legitimate website (say, www.google.com) but are redirected to a fake website instead.

Attackers achieve this by manipulating the part of the website-visiting process between a URL being entered and the intended website being displayed, hijacking a part of this process and redirecting the user elsewhere. They can do this by manipulating the server that should direct you to the correct website or your own device or network.

Pharming in cybersecurity is not merely a theoretical concept. In fact, over the years, pharming has caused plenty of real-world havoc.

Examples of infamous pharming attacks

Because pharming attacks can affect anyone on a compromised local network — or perhaps even everyone on a compromised service provider’s network — the results of an attack, if successful, can be devastating for many. Here are a few of the biggest and most infamous pharming attacks to make the news.

  • 50-bank pharming attack, 2007: After an elaborate setup that included creating fake websites for banks and getting victims to install some initial malware, hackers redirected users to these fake websites and stole their banking information.
  • Brazilian router attacks, 2015: Hackers sent phishing emails targeting Brazilians using certain vulnerable internet routers. If these users clicked the link in the email, the website would try to access their router administration pages to change settings and redirect some future website visits to malicious sites.
  • Volunteers for Venezuela, 2019: Hackers exploited the presidentially coordinated movement Volunteers for Venezuela. Prospective volunteers found that the information they inputted on the movement’s website was redirected to the hackers’ fake website that used the same IP address.

How harmful is pharming?

Depending on how successful an attack is, pharming can be very harmful. Because these attacks can affect lots of users at the same time without their knowledge, the scale of an attack can be broad.

If a pharming attack targets your network or device rather than the server that directs you to the website you’re trying to visit, this can still have a broad-scale effect. If, for example, the hacker targets your router rather than your personal device, anyone on your network will be vulnerable to being redirected to malicious websites.

How dangerous it is to visit these malicious sites can vary. If it’s a fake banking website and you enter your details, for example, the attackers could gain access to your bank account. If you don’t enter any information, however, you might be safe. (That is, unless the website itself has been set up to download additional malicious software onto your device.)

Image of a browser phishing warning on a site linked to darcula.
A screenshot of a browser phishing warning on a site linked to darcula phishing scams.

What is the difference between phishing and pharming?

Phishing is the attempt to trick people into divulging their personal information by pretending to be a trusted person, organization, or institution.

Pharming is the attempt to launch a phishing attack by redirecting attempts at legitimate website visits to spoofed (fake) website visits instead.

Pharming, then, is a kind of phishing. But there are variations that make pharming subtler and harder to combat than more traditional phishing techniques.

Traditional phishing techniques usually require you to click on a dodgy link contained in a fake email or message. Pharming, however, works by redirecting you to a dodgy website after you enter a completely normal and legitimate URL.

Bigger impact

A single pharming exploit can have a bigger impact than traditional phishing techniques if it’s successful. This is because it can affect all the users on a local network, such as a business network, or even all users using the same ISP or data center server.

Harder to detect

Pharming attacks are usually harder to detect than standard phishing attacks. You should be able to spot most phishing attacks by the peculiar email or misspelled link, but once a pharming vulnerability has been exploited, you might not notice there’s anything wrong at all.

How does pharming work?

Pharming works by tricking either your computer, your router, or one of your ISP or connected data center’s servers into sending you to a malicious website instead of the one you intended to visit when you entered its URL. For instance, a pharming attack could send you to a fake version of Facebook that steals your personal information, even when you enter www.facebook.com in your browser. It does this by manipulating DNS (Domain Name Server) records or host files.

When you enter a website URL into your browser, this gets converted into an IP address (a collection of numbers or number-letter combinations), which tells your ISP exactly which website to present you with. Both your router and your ISP’s servers (or other big data centers) have DNS records that tell them which URLs correspond with which IP addresses.

A pharming attack either interferes with your ISP server’s, your connected data center server’s, or your router’s DNS records, swapping out a URL’s corresponding IP address with a malicious one, or it makes your device bypass these DNS records entirely and go straight to the malicious website.

Types of pharming

There are two main kinds of pharming: DNS-based pharming and host-based pharming. While both of these varieties redirect the user from a legitimate URL entry to a malicious website, they go about it in different ways.

DNS-based pharming

DNS-based pharming (also known as DNS poisoning, DNS hijacking, or DNS spoofing) is when an attacker manipulates your router, your ISP, or your connected data center’s DNS records to redirect you to a malicious site. This can be done by hacking the DNS server or poisoning the DNS cache. 

Here are some examples:

  • DNS server hacking: This occurs when hackers target the companies that run the DNS servers that your device connects to, usually your ISP or another data center company that hosts the DNS records. Hackers attempt to gain unauthorized access to these DNS records and alter them for all users who use them.
  • DNS cache poisoning: This is when hackers target your router’s DNS cache instead of an ISP or data center’s DNS servers. Home and business routers often store the domain name records for sites you’ve already visited locally in a cache, allowing you to bypass big DNS servers and load websites quicker. DNS cache attacks will attempt to gain unauthorized access to this cache and alter its records for all users connected to the network.

Host-based pharming

A DNS pharming attack isn’t the only way to redirect a user to a malicious website when they enter a legitimate URL. Most devices have some kind of “hosts” file that links specific hostnames (identifiers for network devices) to specific IP addresses. Attackers can also attempt to manipulate your “hosts” file to the same effect.

Crucially, any IP-hostname mappings in the “hosts” file supersede and bypass DNS resolution. This means your device will connect to the corresponding IP for a hostname (URL) when you enter that hostname, even if the DNS records of the server you’re connected to link the hostname to a different IP.

A host-based pharming attack exploits this by editing your “hosts” file to match a common hostname you might enter (such as www.google.com or the website for your bank account) to the IP address of a malicious website, such as a spoofed copy of your bank’s website. Then, when you go to this website, your device checks your “hosts” file and sends you to the malicious site instead.

Common pharming attack signs to look for

One sign that you’ve been pharmed is unusual account activity, as this might indicate that someone’s already stolen your personal information and gained access to your accounts. By this point, however, the attack has already been successful.

The following are some signs of a pharming attack to look out for that can help you prevent the attackers from accessing your information in the first place.

HTTP instead of HTTPS

When you connect to a website, it should show a little lock icon next to the URL, meaning it’s connected over the secure HTTPS protocol rather than the HTTP protocol. If it lacks this and is connected over HTTP, any information you enter might not be encrypted, which could be a sign that you’re on a spoofed website created for a pharming attack.

SSL certificate errors and privacy errors

If you see an SSL error such as “Your connection is not private,” this might be a sign that the website you’re on is a spoofed one created for pharming. (Note, however, that these errors can occur for relatively innocuous reasons, too.)

The SSL encryption protocol helps ensure better security for online transactions, and if a site doesn’t have a valid SSL certificate, it can throw up an SSL certificate error or privacy error.

Changes to familiar websites

If you’re familiar with the website you’ve navigated to, look out for any visual changes that might suggest that it’s a fake copy of the site rather than the legitimate one. Misaligned website elements, misspellings, and different colors could all suggest a spoofed website created for pharming.

How can you stay safe from a pharming scam?

Pharming scams might be harder to spot than other phishing scams, but there’s plenty you can do to prevent your network and devices from falling victim to one. Here are some of the most important things you should do to stay safe from a pharming scam.

Check your device for malware

Many pharming attacks can start with malware on your device because this malicious software might edit your “hosts” file or get into your router’s DNS cache to start the attack. As such, it’s vital to keep your device clean of malware.

You can download easy-to-use software like CleanMyMac X and run a malware scan with its Malware Removal tool to ensure that your device is free of any nasty applications or services.

The Malware Removal module in CleanMyMac X, powered by Moonlock Engine

Ensure that all websites use HTTPS

Every website you visit should connect over HTTPS, not HTTP. Otherwise, any information you enter might not be securely encrypted and could be intercepted. Look for the lock symbol to the left of the URL in most browsers (or under a drop-down menu found in the same spot).

Use a password manager

Pharming attacks can be used to harvest passwords from victims who enter them into spoofed websites. To reduce the risk of this, you can use a password manager. If you use a password manager to auto-fill your passwords, it will recognize the spoofed site as being different from the legitimate website and refrain from automatically filling in the information. If this happens to you, consider it a red flag.

Spoofed websites created via DNS or “hosts” file pharming won’t show dodgy links, but the malware that enabled the pharming attack might have come from one. It’s always a good practice to double-check that any links are legitimate before you click on them, even if they seem like they’ve come from a trusted source.

Avoid suspicious-looking websites

Pharming attacks can sometimes be caused by a compromised ISP (or data center) DNS server. This is outside of your control. But what might be in your control is whether you spot the resulting spoofed website or not. If something looks off about the site, trust your gut and don’t enter any personal information into it.

Enable 2-factor authentication (2FA)

Enabling 2-factor authentication (2FA) for your accounts can help prevent account theft, which might occur as a result of pharming. If you’re the victim of a pharming attack that gives a hacker your personal information, having 2FA enabled could stop them from accessing your account anyway.

Pharming is a particularly subtle and sophisticated kind of phishing attack that redirects you to a malicious website after you enter a genuine URL. These attacks can be hard to spot, and you can’t always prevent them because sometimes the fault lies not with you but with a DNS server elsewhere.

Thankfully, there are steps you can take to protect yourself from pharming. There are also ways to spot whether you’re being targeted or not. Overall, turning on 2FA, using a password manager, and ensuring that all sites you visit use HTTPS will help keep you safe.

Jacob Fox Jacob Fox
In addition to being an academic, Jacob is a lifelong technology expert and cybersecurity writer who has helped his readers understand information security for almost five years. He has written for TechRadar, PCGamer, and other online technology publications.