If you spend time on a computer during your workday, you’ve likely heard of phishing. But are you aware of pharming, its lesser-known counterpart?
In truth, it’s hard to say precisely how prominent pharming is. In its annual reports, the FBI’s Internet Crime Complaint Center (IC3) lumps pharming in with phishing, smishing, and vishing. These are the most common types of cyber attacks, with over 300,000 reported cases occurring in 2021 alone under this category.
However, one thing’s certain: Pharming is a significant threat, and it happens often enough that you’re better off knowing how to spot it. So today, we’re giving you a rundown on pharming – what it is, how it works, and what you can do to keep yourself safe.
What Is Pharming, and How Does It Work?
Pharming (a play on the words “phishing” and “farming”) is a sophisticated tactic that allows cybercriminals to redirect unsuspecting users to fake websites. In many cases, these fraudulent websites appear identical to the real thing, and users are generally unaware that they’ve reached a spoofed site.
Thinking they’ve reached their intended destination, users enter usernames, passwords, or other credentials. Malicious actors exfiltrate this sensitive data and use it for nefarious purposes or sell it.
But how do threat actors carry out pharming attacks without anyone noticing? They exploit the mechanics that make browsing the internet quick and easy.
When you need to reach an online destination, you type a domain name into the address bar (or, more likely, you click a bookmark that takes you to your often-visited site). But every time you do so, a process occurs behind the scenes.
A domain name (like www.armorblox.com) isn’t technically a website’s address. Instead, it’s a stand-in for an internet protocol (IP) address. IP addresses are long strings of digits separated by dots. Because it would be impossible to remember the unique numeric combination for all of your favorite sites, we use easily identifiable URL addresses instead.
A Domain Name System (DNS) server then translates these names into IP addresses to display the intended website on your device. Pharming attacks target this behind-the-scenes process to redirect users to spoofed websites.
There are two ways to manipulate this “translation” process and send users to a fraudulent website:
- DNS poisoning – Also called DNS spoofing, DNS poisoning occurs when an attacker hijacks a DNS server and changes the settings to redirect users. Because DNS servers often serve tens of thousands of people, one modification to the DNS table can send countless people to an alternate location. Ultimately, each request that goes through the corrupted DNS server can automatically redirect users.
- Malware-based pharming – Malware-based pharming occurs on a smaller scale. Instead of targeting an entire DNS server, a threat actor attacks individual users with a virus or Trojan Horse that reroutes them to the fake website. Attackers attempt to infect a user’s device with this malware through software downloads or malicious emails. Once a user unknowingly downloads the attacker’s code, it can alter stored IP addresses and corrupt locally hosted files.
Both techniques lead to users visiting a fraudulent website where bad actors aim to exfiltrate personal information or install damaging malware.
Pharming vs. Phishing: What’s the Difference?
Pharming is a type of phishing attack, and while it’s true that attackers can leverage both tactics to exfiltrate sensitive or confidential data, they are far from identical.
When it comes to pharming vs. phishing, the primary difference lies in the method of delivery.
Traditionally, phishing is solely a message-based attack; malicious actors target users with a seemingly legitimate business email, DM, or text. With pharming, email can be involved, but it’s not the usual vessel for would-be pharmers. Instead, they’re more likely to target a DNS server than an individual, as the payout is better.
Additionally, phishing scams tend to incorporate social engineering. Threat actors pose as coworkers, vendors, or friends and often include urgent requests to get victims to click a bad URL or engage with malicious email attachments. Pharming is pure technical trickery; there’s no appeal to human emotion with DNS cache poisoning. Instead, the success of a pharming attempt relies more on the attacker’s skills in code-writing and fake website creation.
Ultimately, pharming is harder to detect and prone to occur on a much larger scale.
How to Spot a Pharming Attack
Because pharming is a covert tactic, recognizing this threat can be challenging. However, the following are four ways you can spot a pharming attack:
- Check the URL – In many cases, a spoofed website will have an address with typos or letters in place of numbers—for example, two letters could be swapped, or a “1” could stand in for a lowercase “L.” Never click on links from unknown senders.
- Ensure the website is secure – If a web address begins with http:// (as opposed to https://), don’t click the link. The “s” stands for secure; when it’s not there, the site is unencrypted, and you’re at risk.
- Look for inconsistencies – Whether you know it or not, you’ve likely become familiar with the copy and layout of your most-used work and personal websites. If you visit a site and the font seems different or a section is missing, you may have a fake on your hands.
- Watch for signs of successful pharming attacks – In some cases, you may not notice you’ve fallen victim to pharming until afterward. Signs of a successful attack include changes to your credentials, unknown payments, and messages or activity on social media that you didn’t initiate.
How Do You Prevent Pharming Attacks?
Preventing pharming may not be easy, but it’s not impossible. There are a few ways to protect yourself:
- Educate your team – As with all email attacks and other cyber security threats, the first step in protecting yourself and your business is education. A little knowledge goes a long way. You can give your employees the tools they need to recognize threats by running workshops and providing links to online learning centers.
- Use an email security solution – People make mistakes; no amount of education can prevent end users from falling victim to all pharming attacks. Email security solutions catch these targeted attacks, better protecting end users. Since most malware-based pharming attacks come via email (either as a suspicious link or a malicious attachment), email security keeps your organization and employees safe.
- Choose your ISP wisely – Unless you manage your own DNS server, you can’t protect yourself from DNS poisoning. As such, it’s worth choosing a reputable internet service provider (ISP), as they’re in charge of keeping the DNS server safe. High-quality ISPs will also filter traffic and notify you of suspicious redirects.
Protect Your Business From Pharming With Armorblox
Pharming is one of the hardest cyber attacks to detect and prevent. Malware-based attacks can catch unknowing users off-guard, and DNS cache poisoning can occur behind the scenes for weeks before anyone notices.
Considering your sensitive data is at stake, it’s worth doing everything possible to stop targeted pharming attacks. For that, there’s Armorblox.
As a comprehensive email security solution, Armorblox protects your team from all email-based attacks, including pharming attempts—without adding more work to your plate. Through machine learning (ML) and Natural Language Understanding (NLU), Armorblox automatically recognizes suspicious links, malicious attachments, and out-of-organization emails—all potential sources of pharming attacks.
Take an interactive product tour today to learn how Armorblox protects you from pharming, phishing, and more.