Did you hear of the attack in 2017 that affected 50 financial institutions? A Microsoft vulnerability was at the center of it. Asia-Pacific, Europe, and US online customers were the attack victims where they downloaded five files laden with a Trojan from a Russian server.
The victims visited fraudulent bank websites from their infected computers and unknowingly sent their bank account login details to the Russian servers. The number of infected PCs stood at 3,000 within three days. But, what really happened?
Cyber attacks exist in various forms. Common examples include DoS (Denial of Service), DDoS (Distributed Denial of Service), phishing, man-in-the-middle, teardrop, smurf, and ping-of-death attacks. A less common type that’s increasingly gaining popularity is pharming. Pharming was responsible for the widespread attack mentioned earlier.
It’s likely that you’ve never heard of pharming. Some refer to it as “phishing without a lure.” It derives from the two words, “phishing” and “farming,” which English speakers call a portmanteau word. But pharming is a form of social engineering cyberattack.
Pharming differs from phishing in that the latter redirects traffic to a particular website created with fraudulent intent. The website mimics a legitimate website to steal personal user information. On the other hand, a pharming attack doesn’t need a phony website to work.
Cybercriminals implementing pharming attacks compromise the DNS (Domain Name System) on the server, redirecting traffic to their pharming website. A victim who arrives at this fake website will log in as usual. The cybercriminals can then obtain the user’s personal information. The information may include the victim’s name, address, or Social Security Number (SSN), enabling fraudsters to perpetrate identity theft or steal your money (or confidential business details).
What are the Mechanics of Pharming?
It’s time to explore how pharming attacks work. We need to begin with DNS servers. A DNS server works in an interesting way.
The job of the DNS is to translate domain names to IP addresses. It’s a necessary step because IP addresses represent the actual location of websites. When the translation is complete, your internet browser can connect to the server hosting the site.
There are two principal ways to carry out a pharming attack:
- DNS Cache/Server “Poisoning”
This approach involves planting malicious code using a “carrier” Trojan or virus in an email or download link. The code corrupts the hosting files on your device, discreetly rerouting the user to a fraudulent pharming site set up by cyber criminals to obtain personal data.
Pharming malware are also known as DNS changers or hijackers. They infect the victim’s computer and make significant changes to the victim’s host files.
Sending a domain name to a DNS server and translating that domain name into an IP address happen quickly — the computer stores domain names to IP address translations to help websites load faster on subsequent visits.
Some pharming malwares such as Extenbro Trojan disable access to cybersecurity websites. They also prevent users from downloading software to remove the DNS changer malware.
A DNS "cache" is what your browser creates when the user hits Enter after typing a website URL. The browser does this to save the user the stress of revisiting the server to visit the same website again.
This pharming variant poisons the DNS cache or table, corrupting the server and redirecting internet traffic to fraudulent pharming websites.
The impact of DNS cache poisoning pharming attacks is more widespread than malware-exploiting pharming because bad actors may target multiple attacks for unethical purposes. For instance, a home internet router has a DNS cache to store previous DNS lookups. Any device on the network can refer to this cache when connecting to a website anyone has visited before on the network.
Therefore, the router is a DNS server of sorts meaning, and it is vulnerable to poisoning.
DNS poisoning usually target organizations running and maintaining DNS servers that translate human-readable domain names into computer-friendly IP addresses.
How to Protect Yourself from Pharming
Thankfully, pharming is not impossible to deal with. Installing a reliable antivirus and anti-malware software with browser monitoring is an excellent first step. It can help in detecting malware threats and shielding devices from emerging threats.
However, you may need to consult a seasoned cybersecurity solutions provider in the Philippines like IPSYSTEMS to provide guidance on appropriate software for network security and email security.
Here are a few things to do to remain safe from pharming attacks.
- Always use secure web connections: they always have HTTPS in the web address instead of HTTP.
- If a website or offer looks too good to be true, then it probably is. Avoid such websites.
- Be wary of opening links and attachments from known and unknown (especially) sources.
- Enable 2FA (two-factor authentication) on websites that offer it.
- Use a VPN service with reputable DNS servers.
- Change the default password on routers and wireless access points.
- Use a password manager that offers auto-fill functionality when it detects a login page you’ve been at before.
Consider switching to a new DNS service. There's little a user can do to prevent DNS poisoning. The DNS services company needs to ensure their servers are secure. Strong alternatives include Cloudflare, Google DNS, and OpenDNS.
Those three companies offer DNS services with better security and privacy than a traditional ISP-provided DNS. OpenDNS even goes the extra mile, offering special servers for families who want to block adult content.
It’s possible that you’ve already fallen for a pharming ruse. In that case, rest your computer to rest your DNS entries.
Pharming can affect anyone on any platform, whether Android, iOS, Mac, or Windows.
How to Sniff Out a Pharming Attack
- An unsecure connection When a website uses HTTP instead of HTTPS in its URL, it may be corrupted.
- A suspicious-looking website A supposedly legitimate website with multiple spelling errors, unfamiliar fonts, or colors may not be legitimate. The more red flags there are, the quicker you should leave the website.
Pharming attacks are as harmful as any other cyber attack. They only require minimal input from a victim. Even when your device weighs in as virus-free, you may still get a redirect to a pharming website, exposing a large number of users to great risk. Early detection is key to resolving any attacks of this emerging but potent hacker threat.