What is Pharming: Definition, Risks and Prevention

Learn about pharming, a cyber threat that redirects website traffic to fraudulent sites. Discover its objectives and risks and learn how to protect against them.

What is a Pharming Attack and How Does it Work?

A pharming attack is a serious threat where users are secretly redirected from genuine websites to fraudulent ones. The goal? To harvest sensitive information like usernames, passwords, and financial details. Unlike phishing, which relies on deceptive messages to lure users into clicking malicious links, pharming works behind the scenes, and it can basically redirect users even if they type the correct web address. This makes it much harder to detect.

The term "pharming" blends "phishing" and "farming," to emphasize the mass harvesting of data from unsuspecting victims. This redirection of information happens through two main techniques:

DNS Cache Poisoning corrupts the "internet's address book," the Domain Name System (DNS), which maps web addresses to their corresponding IPs. By tampering with these records, attackers redirect users to counterfeit sites that mimic legitimate ones.
Malware-Based Pharming involves malicious software altering a computer's local host files, rerouting requests to fake websites even when the correct URL is entered.

Pharming attacks target the internet's infrastructure itself, making them particularly dangerous. Their automated nature and the convincing appearance of fake sites can deceive even cautious users. Understanding what pharming is in cyber security is essential for both individuals and organizations to avoid falling victim.

How Pharming Attacks Work: User goes online; DNS Cache Poisoning; Malware-Based Pharming infects device; User redirected to fake website

Different Types of Pharming Attacks

Pharming attacks have evolved significantly since their emergence in the early 2000s. While early attacks primarily targeted individual computers, modern techniques can compromise entire networks, affecting thousands of users simultaneously. Two main attack vectors illustrate how cybercriminals manipulate the way users connect to websites.

DNS Cache Poisoning

Also known as DNS Spoofing, DNS Cache Poisoning uses vulnerabilities in the Domain Name System (DNS), the "internet phone book" that matches website names with their numerical IP addresses. Attackers insert false entries into a DNS server's cache, so when users try to visit a legitimate site, they are unknowingly sent to a fake website controlled by the attacker.

This method can have widespread consequences. A single compromised DNS server can redirect thousands of users, and the attack may spread further if neighboring DNS servers copy the corrupted records. By targeting popular websites, attackers can collect sensitive data from a large number of people, making this type of attack particularly dangerous.

Malware-Based Pharming

Malware-Based Pharming happens when malicious software infects a user's device, altering local DNS settings or host files to reroute internet traffic. Unlike DNS Cache Poisoning, which affects external servers, this type of attack works directly on the infected device. Often delivered through phishing emails or malicious downloads, malware-based pharming redirects users to counterfeit websites that steal sensitive information (login credentials, financial details, etc.).

While this method impacts only the infected device, it is more persistent. The malware continues to redirect users even after restarting the device or clearing the browser cache, making robust endpoint protection essential to detect and remove such threats.

Pharming Examples

Pharming attacks have evolved to exploit new vulnerabilities and adapt to changing technology and user behavior. From targeting financial institutions to exploiting home networks and humanitarian initiatives, these examples showcase how tactics have developed over time.

2007 Global Bank Attacks: The cybersecurity landscape changed significantly when attackers successfully compromised more than 50 banks worldwide through DNS (Domain Name System) manipulation. By corrupting the DNS cache—the system that translates website names into computer-readable addresses—criminals created a sophisticated network of fraudulent banking websites. The exploitation of a known Microsoft software vulnerability led to the compromise of over 3,000 computers' login credentials within three days. This incident established DNS security and prompt software updates as fundamental elements of institutional cybersecurity.
Pharming in Brazil: Pharming has been a persistent threat in Brazil, where mass pharming attacks on vulnerable customer-premises equipment (CPE) have been observed since 2014. These attacks, often targeting home routers with default or weak credentials, exploit DNS vulnerabilities to redirect users to fraudulent financial, streaming, or hosting services. Brazilian cybercriminals frequently use sophisticated methods, such as exploiting CPE and DNS manipulation, to collect sensitive credentials.
2019 Venezuela Volunteer Attack: Attackers created a fake registration website for volunteers supporting humanitarian aid efforts in Venezuela. Through DNS manipulation, users were redirected to counterfeit sites with identical appearance, allowing attackers to harvest sensitive personal data from thousands of individuals.
Risks on Public Wi-Fi Networks: Public Wi-Fi networks (those in cafes, airports, or gyms, for example), are common targets for drive-by pharming. How it works is that attackers create fake hotspots or compromise existing ones to alter the DNS settings of connected devices. Users are redirected to malicious websites without their knowledge. To stay safe, avoid accessing sensitive information on public Wi-Fi. If you must use it, always connect through a virtual private network (VPN).
Malicious Software (Trojans): Modern Trojans represent an evolution of DNS manipulation. These malicious programs are often hidden within legitimate-looking software and typically delivered through targeted email campaigns or compromised downloads. Once installed, they alter network settings to facilitate data theft. Some variants focus on immediate financial fraud, while others establish persistent access for long-term surveillance.

Phishing vs. Pharming: How Do They Differ?

Phishing and pharming are both cyberattacks designed to steal sensitive information, but they operate differently and require distinct defenses.

Phishing uses social engineering to deceive you. Attackers send fake emails, messages, or create counterfeit websites of banks or government agencies. Phishing requires user action, such as clicking a malicious link or filling out a fake form.

Pharming, on the other hand, works silently in the background by manipulating the Domain Name System (DNS)—the "internet address book" that connects website names to their actual IP addresses. Through techniques like DNS cache poisoning or malware, attackers can redirect users to fake websites even if the correct web address is entered. Also called "phishing without a lure," pharming needs no user interaction, which makes it harder to detect.

The main difference is user involvement and detection. Phishing relies on visible cues and user action, whereas pharming bypasses user awareness entirely, redirecting users to counterfeit sites. Although less common, pharming is often more dangerous due to its stealthy nature and potential to affect large numbers of users simultaneously.

How to Identify a Pharming Attack (Common Signs)

Pharming attacks are sometimes very challenging to identify, and that is why recognizing key warning signs can help you protect yourself from these threats:

Unexpected Website Redirects: If you type the correct website address but are redirected elsewhere, this is a major red flag. Hackers may manipulate DNS settings or your device's host files to reroute you to fraudulent websites without your knowledge.
SSL Certificate Warnings: Legitimate websites handling sensitive data typically display "https://" in the URL and a padlock icon. If you see "http://" instead or receive warnings about an invalid or missing security certificate, be careful - this could be a fake website.
Website Inconsistencies: Fake websites often mimic legitimate ones but with subtle differences. Look for changes in logos, colors, fonts, or missing pages like "Privacy Policy" or "Terms and Conditions."
Slightly Altered Website Addresses: Hackers may use minor changes to website addresses to deceive users, such as altering "anybank.com" to "anybnk.com." Always double-check URLs before entering personal information and avoid links with unusual characters or misspellings.
Unexpected Pop-Ups or Requests for Information: Pharming sites may display pop-ups or prompt you to enter sensitive data in unusual ways. Legitimate websites typically limit such requests to secure login pages. Be cautious if a site behaves differently than expected.
Frequent Internet Connectivity or DNS Issues: Slow browsing speeds, connectivity problems, or frequent error messages can indicate compromised DNS settings, redirecting you to malicious sites.
Unauthorized Activity on Your Accounts: Unfamiliar transactions, posts, or other account activities could mean that your credentials were stolen. To detect and address these issues, regularly monitor your accounts.

The Consequences of Falling Victim to Pharming

Pharming attacks can result in financial losses, downtime, and reputational damage. Criminals harvest login credentials, banking details, and personal identifiers from these fraudulent websites and use them for identity theft, unauthorized access, or financial fraud.

For individuals, the most immediate consequence is identity theft. Attackers can use stolen credentials to open fraudulent accounts, make unauthorized purchases, or secure loans in the victim's name. These actions can provoke unexpected debts or drained accounts in victims' lives. They can also harm credit scores and create long-term financial instability.

Pharming attacks have serious effects on businesses. They reduce customer trust, damage company reputations, and make companies responsible for not safeguarding sensitive information. Operational downtime can be especially harmful for smaller businesses that have limited resources. Pharming attacks often lead to long investigations, increased regulatory attention, and high costs to recover, which drain a company's finances and reveal important information like trade secrets. In severe cases, the combined financial losses and damage to the company's reputation can force a business to shut down.

On a broader scale, pharming undermines trust in online services. In a 2015 attack in Brazil, hackers exploited vulnerabilities in home routers to redirect online banking users to fraudulent sites. This erosion of trust reduced the use of digital banking services, illustrating how its impact goes beyond immediate financial losses and affects customer behavior and digital adoption.

What to Do if You’ve Fallen Victim to Pharming

If you suspect that you've been redirected to a fake website and your personal information may be compromised, acting quickly is crucial to limit the damage. Pharming attacks often target sensitive data like login credentials and financial information. To secure your accounts and devices, follow these steps:

Disconnect from the Internet - Turn off your internet connection immediately to stop any further transmission of data to attackers. This step also prevents additional harmful downloads if malware has already infiltrated your system.
Run a Full Antivirus and Antimalware Scan - Use a reliable antimalware solution to scan your device thoroughly. Many pharming attacks involve malware, such as Trojans, that can redirect traffic or steal data. A complete scan will help identify and remove these threats, restoring your device's security.
Clear DNS Cache and Check Host Files - Pharming often relies on DNS poisoning to redirect users. Clear your DNS cache to remove corrupted entries using the command ipconfig /flushdns on Windows or resetting DNS settings on macOS and mobile devices. Check your host file for unfamiliar entries that could indicate malicious redirections.
Change Your Passwords - Update the passwords for critical accounts like banking, email, and social media. Choose strong, unique passwords, and, when possible, two-factor authentication (2FA) for more security.
Notify Relevant Institutions and Your ISP - Inform your bank or financial institution if financial details have been compromised. They can monitor accounts for unauthorized transactions and secure them. Get in touch with your internet service provider (ISP) to make sure there is no network-level compromise affecting your connection.
Monitor Financial and Online Accounts Regularly - Fraudulent activity from pharming attacks can appear days or weeks later. Regularly check your bank and credit card statements for unusual transactions and set up alerts for suspicious activity. Stay vigilant over time to ensure your information remains secure.

How To Protect Yourself Against Pharming

Pharming attacks exploit DNS vulnerabilities to redirect users to fraudulent websites. Protect yourself with simple but effective security practices designed for individual users.

Start by securing your home network. Use a reliable DNS service that blocks redirects and change the default password on your router. Enable automatic firmware updates to prevent unauthorized DNS changes.
Install software with anti-pharming features to monitor your device for DNS changes or host file modifications. This software alerts you to suspicious activity so you can act quickly. Keep it updated to stay protected against evolving threats.
Remember that HTTPS encryption secures your connection to a website but cannot prevent redirection to fraudulent sites. Always verify URLs, especially when logging into financial or shopping platforms.
Enable two-factor authentication (2FA) on critical accounts. Even if your credentials are compromised, attackers will not be able to access your accounts without the second step of the authentication.
Choose an Internet Service Provider (ISP) with robust security features, such as traffic filtering. Conduct regular security audits for DNS configurations, router settings, and your overall network. Clearing your DNS cache regularly removes corrupted entries that could redirect users to malicious sites.
Businesses should implement backup communication systems, like secure messaging platforms, to maintain operations if primary DNS services are compromised. Employee training is essential, so educate your team to recognize suspicious behaviors, such as misspelled URLs or unusual requests for personal information.
Deploy antimalware solutions with real-time DNS monitoring to detect and block malicious activities. Combine these tools with endpoint monitoring and a robust incident response plan to create a multi-layered defense against pharming threats.

How Bitdefender Can Help

Pharming attacks exploit DNS vulnerabilities and user trust to redirect traffic to malicious sites. Bitdefender’s advanced solutions offer multi-layered protection against these threats. Integrated within Bitdefender's GravityZone Platform, they ensure comprehensive protection against pharming.

GravityZone Risk Management: Identifies and mitigates DNS vulnerabilities and system misconfigurations.
Network Attack Defense (NAD): Blocks DNS spoofing and suspicious traffic at the network level.
Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR): Correlates anomalies across endpoints and networks to identify malware or DNS manipulation.
Managed Detection and Response (MDR): Provides 24/7 monitoring and expert threat hunting to prevent and contain pharming incidents.
Patch Management: Keeps systems updated to close vulnerabilities that could be exploited
Web Filtering and Secure VPN: Protects users from malicious websites and secures connections, even on public Wi-Fi.

Overview

Definition
Types
Examples
Common Signs
Consequences
Protection

Solutions

Frequently Asked Questions

What is spoofing compared to pharming?

Spoofing and pharming are different ways attackers deceive internet users. Spoofing tricks individuals by impersonating trusted sources, such as creating fake websites, emails, or IP addresses, to gain access to personal information. It relies on the victim actively responding to the deception, like clicking on a link in a fake email. Pharming is more advanced: instead of tricking users directly, it manipulates the systems that connect websites and users (DNS servers or local device settings). This means you can type the correct website address but still be redirected to a fake page. Unlike spoofing, pharming often requires no user interaction. While both methods have the same goal—stealing sensitive information—pharming can be more dangerous because it exploits foundational internet systems rather than just user trust.

Is pharming a form of social engineering?

Pharming is not considered social engineering, which uses psychological tactics (sending fake emails, for example) to manipulate people into providing personal information. Pharming, in contrast, alters technical systems like DNS servers or host files to automatically redirect users to fake websites. Although social engineering can help launch attacks—such as using phishing emails to install malware—the manipulation in pharming targets systems, not the person.

Can pharming attacks be prevented by a firewall?

Firewalls can indeed block certain aspects of pharming due to their gatekeeping function. A firewall can stop malware from reaching your device and it can block unauthorized data transfers. This protection is effective against malware-based pharming, where malicious software alters DNS settings on your computer. However, firewalls cannot stop DNS cache poisoning, where attackers compromise external DNS servers. These attacks occur outside your network, bypassing the firewall. To counter pharming fully, you need additional safeguards, such as secure DNS services, updated software, and vigilant browsing practices. Firewalls are helpful but are only part of the solution.