Written by Ivan Belcic
Published on November 6, 2019

Pharming is a rafty type of internet fraud that subverts the very foundations of the internet itself. By manipulating web traffic, pharming attackers attempt to fool their targets into handing over valuable personal information. Because pharming is so sneaky, many victims are unaware that they’ve been scammed until it’s too late. In this article, you’ll learn what pharming is, how it works, and most importantly, what you can do to prevent it from happening to you.

This article contains :

    What is pharming?

    Pharming is when a hacker (or “pharmer”) directs an internet user to a fake website instead of a legitimate one. These “spoofed” sites can capture a victim’s confidential information, including usernames, passwords, and credit card data, or install malware on their computer. Pharmers usually focus on websites in the financial sector, including banks, online payment platforms, or other e-commerce destinations, often with identity theft as the ultimate goal.

    Pharming attacks are effective because they fool both victims and their computers. The pharmer tricks the victim’s computer into sending the victim to the pharmer’s website, rather than wherever they meant to go. Here’s how it works:

    When navigating to a website, users will enter a website’s URL, which is then converted by a DNS server into a numerical IP address. Confused? Don’t be. Think of the DNS server like a phone book, where the URL is a website’s name, and the IP address is its phone number. Pharmers can edit the phone book and change the phone numbers that belong to their chosen website.

    Pharming, in computer terms, compromises internet traffic at the DNS level, sending the user to a fake website built by the hacker.

    Scroll down for more info about how pharming works.

    Pharming vs phishing

    So what is the difference between pharming and phishing? These two scams are similar, but not exactly the same. Phishing, as the name implies, uses bait: hackers send official-looking emails or other communications which invite victims to visit spoofed websites and enter their personal information.

    Pharming skips the bait and sends victims to the fake website without their knowledge or consent. Because victims are typing the URLs themselves, rather than clicking links in a sketchy email, they may be less likely to detect the fraud. It’s a subtler breed of scam when compared to more overt phishing techniques.

    How to protect against pharming

    Fortunately, there are proven strategies you can practice to protect yourself against pharming attacks. In addition to these pharming security tips, it’s never a bad idea to brush up on the fundamentals of internet safety in the digital age.

    1. Choose a trustworthy internet service provider (ISP) - Most major ISPs will automatically filter out a pharmer’s bogus redirects, preventing you from ever reaching the pharming website. Newer ISPs may seem tempting with enticing offers and blistering speeds, but be sure to confirm that they’re as dedicated to your security as the more established providers might be.

    2. Check URLs for typos - After navigating to a website, wait for it to load completely, then examine the URL closely. Pharmers often disguise their sites with minor spelling tricks, including swapped letters or letter replacements: “aug.com" instead of “avg.com," for example.

    3. Look for URLs that begin with HTTPS - When you see HTTPS, it means that all traffic between you and the website is encrypted, so it can’t be intercepted by any third parties. Websites with this enhanced level of security will automatically change their URL from HTTP to HTTPS, letting you know that your data is safe. This tip is especially important when engaging in a financial transaction or exchange.

    4. Stay away from dubious websites - Use good judgement when browsing the internet. Stick to websites you know you can trust, and stay away from anything that looks suspicious.

    5. Evaluate websites before taking action - If a trusted website doesn’t look like it usually does, you might be on a pharmer’s version. Click around a bit and make sure all the pages are present and accounted for. Many pharmers won’t bother going through the trouble to include terms of service or privacy policies.

    6. Avoid links and files from unknown sources - Be careful when downloading files and think twice before clicking on any strange links. It’s much harder for pharmers to get you if they can’t install their malware onto your computer.

    7. Steer clear of bottom-barrel e-commerce deals - If an e-shopping discount looks too good to be true, it probably is. Many pharmers will attempt to lure you in with prices that are 10 to 20 percent lower than anything offered by legitimate stores. Take a few minutes to price-check on competing sites before making a purchase.

    8. Trust your antivirus software - Pay attention when your browser or antivirus software warns you against navigating to a certain website. Even if you’ve used this site before, a warning may be an indication that it’s been infected since your last visit. And speaking of antivirus...

    9. Arm yourself with strong antivirus software from a reputable provider - AVG AntiVirus FREE will protect your computer from pharming malware and unwanted redirects, especially when you’ve inadvertently stumbled onto an unsecured website. Attackers love to tweak their pharming strategies, and AVG AntiVirus FREE is constantly updated to ensure protection against new threats.

    How pharming works

    Now that you’re safe, let’s dig into the details: how does pharming work? One common technique requires the installation of malware onto the victim’s computer, which can happen when you visit or download content from fraudulent websites. Once the malware has been installed, it corrupts certain information on the victim’s computer, which in turn sets up the pharming attack.

    Computers maintain a list of previously-visited websites and IP addresses in a locally-stored “hosts” file. Remember how the DNS system is like a phone book, pairing a website with its assigned IP address? The next time a user visits a stored website, the computer doesn’t have to request the IP address from the DNS server — it can simply refer to its hosts file.

    Pharming malware alters the computer’s hosts file, changing the stored IP address so that the computer sends traffic to the pharmer’s spoofed website in place of the real one. With this type of pharming attack, only the targeted PC is affected, but as you'll see, some pharmers may elect to cast a wider net.

    DNS cache poisoning is an older method of pharming based on corrupting the DNS server itself. When a user wishes to visit a URL via their internet browser, the browser contacts the DNS server to request the IP address for the desired domain. Each DNS server has its own set of listings in addition to temporary records, or “caches,” of listings obtained from others.

    When a pharmer performs a DNS cache poisoning attack, they rewrite the rules governing the flow of traffic to a specified domain, redirecting it to the IP address of their spoofed website. This can be done through a technique called DNS hijacking. Since the pharmer’s attack targets a server as opposed to a single computer, a DNS cache poisoning event has the potential to affect multiple users at once. Some pharmers also utilize the DNS hijacking technique to target unprotected routers, such as those providing free public Wi-Fi.

    Safeguard yourself against DNS hijacking attacks with AVG Internet Security. You’ll get all the protection available in AVG AntiVirus FREE, plus many additional premium security features, like Secure DNS.

    How to recognize that you’ve been pharmed

    How can you tell you’ve been pharmed? As mentioned, you might not find out until after your security has been breached. If that happens, you may receive an email (from your email provider or bank) asking you to confirm if a new sign-in was actually you. Your email provider or bank gets suspicious if it detects logins from an unusual location or device. If you receive an email like this, you should immediately confirm that it wasn’t you, and follow your service provider’s next steps to report the fraud.

    You may notice some other strange activities if you’ve been pharmed:

    • Unfamiliar charges on your credit card, debit card, or PayPal.

    • Changed passwords on any of your online accounts.

    • New posts or messages on your social media that you didn’t make.

    • Friend requests on social media that you didn’t send.

    • New programs that spontaneously appear on your device.

    Bonus tip: you can check to see if your email address has been exposed in any security breaches with this service.

    What should you do if you notice any of the above signs?

    • Follow the fraud reporting procedures on your online banking, email, or social media, if applicable.

    • Change all of your passwords, and make sure to use strong, unique passwords for each of your online accounts (if that sounds like a pain, try a password manager).

    • Step up your security on online accounts by adding two-factor identification wherever possible.

    • Clear your browser: delete cookies, get rid of any unfamiliar plugins, and clear your history.

    • Delete programs you didn’t install.

    • Run an antivirus scan and remove any malware it detects.

    Major pharming instances

    Pharming is not a new tool in the hacker’s arsenal, with high-profile examples of pharming reaching back as far as the early 2000s. In 2004, a teenager in Germany successfully performed a DNS transfer for eBay.de, and while eBay maintained that no user data was compromised, the event caused significant chaos for the company and its users.

    A decade later, pharming attacks had evolved considerably. A major pharming attack in 2015 targeted users in Brazil who owned routers made by certain brands. The attackers created emails that appeared to be sent from a trusted telecom company and which contained malicious links inside. Once a user clicked the link, the attackers would attempt to access the user’s router and alter its DNS settings, steering victims to their pharming sites.

    Why is it called pharming?

    Pharming is a portmanteau of the terms “phishing” and “farming”. Phishing attacks lure unsuspecting victims with bait, and pharming attacks herd large numbers of internet users together towards the hacker’s bogus website.

    Think of pharming (or perhaps it should be pherding?) as “phishing without the lure”.

    Stay vigilant and protect yourself

    Pharming is both devious and dangerous, but with the right precautions, you can easily avoid getting scammed. Protect your personal information from pharmers by practicing sensible internet browsing habits:

    • Choose a trustworthy ISP.

    • Check that URLs are spelled correctly once a website loads.

    • Confirm that the URLs of financial and e-commerce websites begin with “https”.

    • Avoid dubious websites, downloads, and links.

    • Use proven antivirus software such as AVG AntiVirus FREE.

    Follow these tips, and you’ll be well on your way towards a pharming-free internet experience.

    Protect your Android against threats with AVG AntiVirus

    Free install

    Protect your iPhone against threats with AVG Mobile Security

    Free install
    Ivan Belcic