Pharming Explained

Pharming is a procedure of phishing with the use of precursor malware. It supposes the crooks to redirect the hacked user to spoofed websites in order to steal money, credentials or so.

You may be interested in taking a look at our other antivirus tools:
Trojan Killer, Trojan Scanner.

What is Pharming? | Gridinsoft

Pharming - What is it?

GRIDINSOFT TEAM
Are you sure that all sites you visit are genuine? Hackers put an eye on the ability to compromise the users accounts, steal money and do other nasty phishing by showing it a counterfeited site page. But how is that possible?

Pharming is a type of cyberattack that combines the approaches and targets of farming and phishing. Phishing refers to specific outlaw approaches to getting the personal information from the user, or tricking them into actions they never intended to do. Farming is a fraudulent activity that supposes trafficking the users to the other site, which pays the threat actors for attracting users. This practice is not so dangerous, but is considered unwanted, and the sites that use farming to create the illusion of high traffic are often punished by search engines.

The nature of phishing is likely familiar to most of the users who have ever been interested in cybersecurity. Phishing is a process of stealing the users’ credentials, important and private information or forcing it to do what crooks want (pay-off the invoice, install the app, etc.) via social engineering. It was constantly present throughout the whole period of Internet existence, and will likely keep going - fool’s gold still attracts a lot of people. Aside from bringing the crooks an instant profit, the output of a successful phishing may be a basis for further cyberattacks.

What is pharming?

Pharming is a way of phishing where the victim is thrown to a counterfeit version of a known website, perhaps the one they often use in their daily activities. That is done to lull the vigilance, as well-known names are trusted and rarely force the user to do security check-ups. However, contrary to most other phishing schemes, pharming requires additional malware running on the victim’s PC. Most often, that is adware or browser hijacker – they are best for browser and networking control, and pretty easy to distribute.

Pharming mechanism

The injection of this malware may happen way before the pharming attempts, and most of the time you will probably see just typical adware signs - poorly designed banners and obtrusive offers. Crooks who spread and control these viruses can easily contract other crooks in order to advertise their products through adware. At one moment, your web browser will open a scam page which contains not usual advertisements, but a copy of the site you likely know. There, actually, the action begins.

How does pharming work?

As it was mentioned, such a phishing approach as pharming bears upon malware that is present in the target system. Since most pharming campaigns choose adware as assistant malware, these events may have some really massive scale. Adware is the best option as it is widespread, pretty easy to hide and it has access to the system’s networking settings by design. Let’s check up on how things happen step by step.

First, malware which maintainers have a contract with pharmers make the corresponding changes to the systems’ DNS records. In Windows they’re stored in a HOSTS file. A DNS system is like a global phone book for computers, that helps the browser to find a proper IP address of a target server. Only humans interact with user-friendly URLs like example.com, while machines use IPv4 or IPv6 addressation - they look like 123.456.78.90 or 2001:db8:3333:4444:5555:6666:7777:8888. DNS request returns the IP address of the site server that is best for the user. However, users can set up the preferred server manually - by specifying its IP in the aforementioned HOSTS file. The problem is that viruses can do the same adjustments - leading to the bad consequences we’ll explain below.

The default contents of HOSTS file. Records of known sites you've never did and asked for are the clear signs of malware activity,
The default contents of HOSTS file. Records of known sites you've never did and asked for are the clear signs of malware activity,

Even before the changes described in the previous paragraph, threat actors should establish the website on the IP address they are going to abuse. This site, as you can guess, must repeat the key design features of a known resource, so the target will type down the information without any doubts. It requires some time to copy the design, but such campaigns generally rely on visual match, so this part is rarely ignored. Hence, before the action starts, the crooks have a clear copy of a targeted site, and a victim that will be redirected to this page each time they try to open a genuine one.

The key feature of this way of pharming is that it is almost impossible to distinguish a copy from the original site. Less complex ways of pharming (we’ll mention them below) usually suppose that there will be a difference in URL addresses, absence of an HTTPS certificate, and so on. But pharming of that complexity supposes that even your URL bar will display you the original URL. Your browser will think that it connects you to a genuine site, and you will likely have no visible reason to alarm.

At one moment, attempting to open your Twitter page, you will see a routine login offer. It will not be predictable, but who knows - social networks sometimes logout you without any notification. The only way to detect the fake at this point is to try to log in with a SAML provider - Google or Apple ID. The counterfeit will not be able to do that properly, and you will likely see these functions not working or the site may just crash once you try it.

Alternative pharming ways

The pharming approach mentioned above requires more time and resources to prepare, although being likely the most effective way of phishing. But in a pretty big number of cases crooks may reject the complexity and embrace simple ways that work only with the least attentive users. Those are the links to the spoofed websites that are posted wherever - on forums, in messengers or other social media. In rare cases, crooks may use the compromised website to redirect you as soon as you open it. They previously bait you to go and check it out in the same manner - by a link and a comment somewhere online.

Fake Facebook page that can be uncovered by the different URL address
Fake Facebook page that can be uncovered by the different URL address

The key difference between this method and the one we described previously is that the spoofed website is much easier to distinguish from the original. In this pharming approach, crooks just do not want to spend time and money, so the counterfeit may look pretty gnarly, with overlapping and wrongly positioned elements. The website URL is not copied as well, since no DNS poisoning is done. Still such a simplified pharming is still effective, as most of such counterfeits belong to this form of a fraud.

How dangerous is pharming?

We have described the ways crooks are using to fool you. But what kinds of information does this fraud try to steal? Contrary to a great number of more classic phishing campaigns, that are going for your personal details, pharming usually aims at your login credentials, and sometimes banking information. The latter is pretty rare as the pages of popular payment systems are quite hard to spoof, but it is still possible.

Some pharming pages mimic the sites that cannot lure out your credentials, but instead give the sensitive information. Those could be the fake delivery tracking pages, customer surveys and so on. In that way hackers cannot compromise you, but having such information makes it easier to set up a more realistic phishing trap in future.

However, banking card information and credential losses are still the most hazardous things. There are plenty of offers on the Darknet to purchase a database with leaked card information, which is enough to drain all the accounts to zero. Stealing the credentials is more about spear phishing, when crooks aim at a certain person whose account is of interest for them. However, even the massive spam case is a great way to get a database of compromised accounts that are ready to be used for spamming in the social networks.

Pharming examples

Pharming had a much bigger spread in ‘00s, when the sites had much weaker security measures applied. Moreover, people had generally lower cybersecurity awareness, trusting most of the things they meet online. The most known attack happened in 2007, when hackers spoofed a chain of financial institutions’ sites. That resulted in collecting the login info of thousands of victims and tricking them to download the file that was containing a trojan virus inside.

One of the loudest attacks of the past decade happened in 2019, and took place in Venezuela. Nicolas Maduro claimed the creation of a movement called “Voluntarios por Venezuela” and asked all citizens to join it, if they wanted to help the country in a joint effort with international organisations. However, the site they offered to register on for the participation was likely intended to collect as much personal information about the volunteers as possible. Given that the government in Venezuela is not very happy about the initiative of citizens, the purpose of such a “survey” is pretty obvious.

Protection against pharming

Despite being much more sophisticated than classic phishing, pharming still partially relies on people's inattentiveness. It applies a lot of different approaches in order to mask the fraud from its victims, but it still cannot make it completely indistinguishable from the original. Moreover, less complicated ways of pharming may be pretty easy to uncover - just pay attention to details. Here are the places you should check out with increased diligence.

  • Website URL. Hackers sometimes manage to counterfeit it, or make it pretty similar. But since clumsy scam is more widespread, it is recommended to check it up. You can probably find things like “tvviter.com” or “facebooksite.weebly.org” — a clear sign that someone is trying to fool you.
  • Connection security. HTTPS certificates are rarely given to the fake websites, especially ones created on the website constructors - like wix.com or the aforementioned Weebly. Clicking on the lock pictogram at the left part of the address bar will show you if the connection is secure.
  • Elements. Keep in mind that any company that tries to keep a good image will try to keep their site in a good shape. No overlapping elements, everything works as it is supposed to, the site is not crushing and works smoothly – that is what you usually expect to see. If the site you know has some errors that go against the mentioned criterias, it is a reason to check if it is original at all.
  • Use anti-malware software with online security features. The most efficient way to protect yourself from pharming without constantly being on alarm is to use a security solution that will do that job for you. For sure, not each anti-malware program will be capable of protecting your browsing experience. The one that definitely can is GridinSoft Anti-Malware – try it out and see the difference.

Frequently Asked Questions

What is pharming vs phishing?
Pharming is a type of phishing - the complicated one. By the effectiveness it is comparable to spear phishing via email, but in some cases may even be more productive. This method tries to build itself in the regular activities of a victim, thus being less suspicious.
Why is it called pharming?
The word “pharming” is simply an amalgamation of the word “phishing” and “farming” – the names of cyber frauds whose combination gave the world the pharming. It may sound close to pharmaceutical thematics, but it actually has nothing to do with the latter.
Why is pharming used?
Pharming is a sophisticated way of phishing that makes it possible to get the most sensitive information without a serious preliminary intelligence. While spear phishing requires a long data collection, and social engineering means hours spent on gaining the trust, pharming allows the crooks to direct the attack after the initial penetration. That means that the victim has no way to escape, unless they will figure out the spoof in the process. Threat actors who perform pharming may personalise each of the DNS poisoning operations, basing on the typical activities, as well as make an attack on scattered groups of users. Such a flexibility is what some of the crooks want to have, and they are ready to ignore all concominant inconveniences.
Can pharming be prevented?

Clumsy pharming is pretty hard to prevent, as you have no way to forbid someone from sending a message with a link to a spoofed website. Even the practices like blocking the incoming messages from unknown senders or filtering the contents may still miss something out. However, it will likely look least trustworthy.

The complex method, that involves DNS poisoning, will be useless if the trick with your DNS is impossible to perform. Fortunately, it is quite easy to counter - by just setting the mentioned HOSTS file to read-only mode. After that manipulation, it will be impossible to do any changes to this file without calling for the UAC warning.