Gridinsoft Logo

Pharming Explained

Pharming is a procedure of phishing with the use of precursor malware. It supposes the crooks to redirect the hacked user to spoofed websites in order to steal money, credentials or so.

You may be interested in taking a look at our other antivirus tools:
Trojan Killer, and Online Virus Scanner.

What is Pharming? | Gridinsoft

Pharming - What is it?

November 03, 2022

Are you sure that all sites you visit are genuine? Hackers focus on the ability to compromise the user's accounts, steal money, and do other nasty phishing by showing it a counterfeited site page. But how is that possible?

Pharming is a type of cyberattack that combines the approaches and targets of farming and phishing. Phishing refers to specific outlaw approaches to getting personal information from the user or tricking them into actions they never intended to do. Farming is a fraudulent activity that supposes trafficking the users to the other site, which pays the threat actors for attracting users. This practice is not so dangerous but is considered unwanted, and search engines often punish the sites that use farming to create the illusion of high traffic.

The nature of phishing is likely familiar to most users who have ever been interested in cybersecurity. Phishing is a process of stealing the users’ credentials, important and private information, or forcing it to do what crooks want (pay off the invoice, install the app, etc.) via social engineering. It was constantly present throughout Internet existence and will likely keep going - fool’s gold still attracts many people. Aside from bringing the crooks an instant profit, the output of successful phishing may be a basis for further cyberattacks.

What is pharming?

Pharming is a way of phishing where the victim is thrown to a counterfeit version of a known website, perhaps the one they often use in their daily activities. That is done to lull vigilance, as well-known names are trusted and rarely force the user to do security check-ups. However, contrary to most other phishing schemes, pharming requires additional malware running on the victim’s PC. Most often, that is adware or browser hijacker – they are best for browser and networking control and pretty easy to distribute.

The injection of this malware may happen way before the pharming attempts, and most of the time, you will probably see just typical adware signs - poorly designed banners and obtrusive offers. Crooks who spread and control these viruses can easily contract other crooks in order to advertise their products through adware. At one moment, your web browser will open a scam page that contains not the usual advertisements but a copy of the site you likely know. There, the action begins.

How does pharming work?

As it was mentioned, such a phishing approach as pharming bears upon malware in the target system. Since most pharming campaigns choose adware as assistant malware, these events may have some massive scale. Adware is the best option as it is widespread, pretty easy to hide, and has design access to the system’s networking settings. Let’s check up on how things happen step by step.

First, malware which maintainers have a contract with farmers make the corresponding changes to the systems’ DNS records. In Windows, they’re stored in a HOSTS file. A DNS system is like a global phone book for computers that helps the browser to find a proper IP address of a target server. Only humans interact with user-friendly URLs like example.com, while machines use IPv4 or IPv6 addressing - they look like 123.456.78.90 or 2001:db8:3333:4444:5555:6666:7777:8888. DNS request returns the IP address of the site server that is best for the user. However, users can manually set up the preferred server by specifying its IP in the aforementioned HOSTS file. The problem is that viruses can do the same adjustments - leading to the bad consequences we’ll explain below.

The default contents of HOSTS file. Records of known sites you've never done and asked for are the clear signs of malware activity,

Even before the changes described in the previous paragraph, threat actors should establish the website on the IP address they are going to abuse. As you can guess, this site must repeat the key design features of a known resource, so the target will type down the information without any doubts. It requires some time to copy the design, but such campaigns generally rely on visual matches, so this part is rarely ignored. Hence, before the action starts, the crooks have a clear copy of a targeted site and a victim that will be redirected to this page each time they open a genuine one.

The key feature of this way of pharming is that it is almost impossible to distinguish a copy from the original site. Less complex ways of pharming (we’ll mention them below) usually suppose that there will be a difference in URL addresses, the absence of an HTTPS certificate, and so on. But pharming of that complexity supposes that even your URL bar will display the original URL. Your browser will think that it connects you to a simple site, and you will likely have no visible reason to alarm.

Once you attempt to open your Twitter page, you will see a routine login offer. It will not be predictable, but who knows - social networks sometimes logout you without any notification. The only way to detect the fake at this point is to try to log in with a SAML provider - Google or Apple ID. The counterfeit will not be able to do that properly, and you will likely see these functions not working, or the site may just crash once you try it.

Alternative pharming ways

The pharming approach mentioned above requires more time and resources to prepare, although being likely the most effective way of phishing. But in many cases, crooks may reject the complexity and embrace simple ways that work only with the least attentive users. Those are the links to the spoofed websites posted wherever - on forums, messengers, or other social media. In rare cases, crooks may use the compromised website to redirect you as soon as you open it. They previously bait you to go and check it out in the same manner - by a link and a comment somewhere online.

Fake Facebook page that the different URL address can uncover

The key difference between this method and the one we described previously is that the spoofed website is much easier to distinguish from the original. In this pharming approach, crooks just do not want to spend time and money, so the counterfeit may look pretty gnarly, with overlapping and wrongly positioned elements. The website URL is also not copied since no DNS poisoning is done. Still, such simplified pharming is still effective, as most of such counterfeits belong to this form of fraud.

How dangerous is pharming?

We have described the ways crooks are using to fool you. But what kinds of information does this fraud try to steal? Contrary to many classic phishing campaigns for personal details, pharming usually aims at your login credentials and banking information. The latter is pretty rare as the pages of popular payment systems are quite hard to spoof, but it is still possible.

Some pharming pages mimic the sites that cannot lure out your credentials but instead give sensitive information. Those could be the fake delivery tracking pages, customer surveys, etc. In that way, hackers cannot compromise you, but having such information makes it easier to set up a more realistic phishing trap in the future.

Banking card information and credential losses are still the most dangerous things. There are plenty of offers on the Darknet to purchase a database with leaked card information, which is enough to drain all the accounts to zero. Stealing the credentials is more about spear phishing, when crooks aim at a certain person whose account interests them. However, even a massive spam case is a great way to get a database of compromised accounts ready to be used for spam on social networks.

Pharming examples

Pharming had a much bigger spread in the ‘00s when the sites had much weaker security measures. Moreover, people generally had lower cybersecurity awareness, trusting most of the things they meet online. The most known attack happened in 2007 when hackers spoofed a chain of financial institutions’ sites. That resulted in collecting the login info of thousands of victims and tricking them to download the file that contained a trojan virus inside.

One of the loudest attacks of the past decade happened in 2019 and took place in Venezuela. Nicolas Maduro claimed the creation of a movement called “Voluntarios for Venezuela” and asked all citizens to join it if they wanted to help the country in a joint effort with international organizations. However, the site they offered to register on for participation was likely intended to collect as much personal information about the volunteers as possible. Given that the government in Venezuela is not very happy about the citizens' initiative, the purpose of such a “survey” is pretty obvious.

Protection against pharming

Despite being much more sophisticated than classic phishing, pharming still partially relies on people's inattentiveness. It applies many different approaches to mask the fraud from its victims, but it still cannot make it completely indistinguishable from the original. Moreover, less complicated ways of pharming may be pretty easy to uncover - just pay attention to details. Here are the places you should check out with increased diligence.

  • Website URL. Hackers sometimes manage to counterfeit it, or make it pretty similar. But since clumsy scam is more widespread, it is recommended to check them up. You can probably find things like “tvviter.com” or “facebooksite.weebly.org” — a clear sign that someone is trying to fool you.
  • Connection security. HTTPS certificates are rarely given to fake websites, especially ones created on the website constructors - like wix.com or the aforementioned Weebly. Clicking on the lock pictogram at the left part of the address bar will show you if the connection is secure.
  • Elements. Keep in mind that any company that tries to keep a good image will try to keep their site in good shape. No overlapping elements, everything works as it is supposed to, and the site is not crushing and works smoothly – that is what you usually expect to see. If the site you know has some errors that go against the mentioned criteria, it is a reason to check if it is original.
  • Use anti-malware software with online security features. The most efficient way to protect yourself from pharming without constantly being on alarm is to use a security solution that will do that job for you. For sure, not each anti-malware program will be capable of protecting your browsing experience. The one that definitely can is GridinSoft Anti-Malware – try it out and see the difference.

Frequently Asked Questions

What is pharming vs phishing?
Pharming is a type of phishing - the complicated one. By the effectiveness it is comparable to spear phishing via email, but in some cases may even be more productive. This method tries to build itself in the regular activities of a victim, thus being less suspicious.
Why is it called pharming?
The word “pharming” is simply an amalgamation of the word “phishing” and “farming” – the names of cyber frauds whose combination gave the world the pharming. It may sound close to pharmaceutical thematics, but it actually has nothing to do with the latter.
Why is pharming used?
Pharming is a sophisticated way of phishing that makes it possible to get the most sensitive information without a serious preliminary intelligence. While spear phishing requires a long data collection, and social engineering means hours spent on gaining the trust, pharming allows the crooks to direct the attack after the initial penetration. That means that the victim has no way to escape, unless they will figure out the spoof in the process. Threat actors who perform pharming may personalise each of the DNS poisoning operations, basing on the typical activities, as well as make an attack on scattered groups of users. Such a flexibility is what some of the crooks want to have, and they are ready to ignore all concominant inconveniences.
Can pharming be prevented?

Clumsy pharming is pretty hard to prevent, as you have no way to forbid someone from sending a message with a link to a spoofed website. Even the practices like blocking the incoming messages from unknown senders or filtering the contents may still miss something out. However, it will likely look least trustworthy.

The complex method, that involves DNS poisoning, will be useless if the trick with your DNS is impossible to perform. Fortunately, it is quite easy to counter - by just setting the mentioned HOSTS file to read-only mode. After that manipulation, it will be impossible to do any changes to this file without calling for the UAC warning.