Pharming attack is a sophisticated mechanism that defrauds users without needing any ‘silly mistake’ from their side. Let’s decode this and see how to safeguard.
Imagine logging in to your online banking using a legitimate web address and getting the life savings vanished shortly after.
That’s one of the ways pharming attacks look like.
The term pharming is coined from phishing attack and farming ๐.
Put simply; phishing needs you to click on a suspicious link (the silly mistake), which downloads malware resulting in financial losses. Besides, it can be an email from your ‘CEO’ asking to make an ‘urgent’ bank transfer to a ‘vendor,’ a special category scam known as whaling phishing fraud.
In a nutshell, phishing needs your active participation, while pharming attacks (in most cases) don’t.
Let’s see an example…
We are used to domain names (like geekflare.com), while machines understand IP addresses (like 24.237.29.182).
When we type in a web address (domain name), it (the query) goes to the DNS servers (the phone book of the internet), which match it to the associated IP address.
Consequently, domain names have little to do with the actual websites.
For instance, if the DNS server has matched a domain name with a non-authentic IP address hosting a spoofed website–that’s all you will see, irrespective of the ‘right’ URL you entered.
Next, a user effortlessly hands over the details–card numbers, ID numbers, login credentials, etc.–to the parody, thinking it’s legitimate.
This makes pharming attacks dangerous.
They are extremely well-made, work stealthily, and the end user knows nothing until they get ‘amount debited’ messages from their banks. Or, they get their personally identifiable information sold on the dark web.
Let’s check their modus operandi in detail.
How Does Pharming Attack Works?
These are orchestrated on two levels, with the user or an entire DNS server.
#1. User-level Pharming
This is similar to phishing, and you click a suspicious link that downloads malware. Subsequently, the host’s file (aka local DNS records) is altered, and a user visits a malicious lookalike of an original website.
A host file is a standard text file that saves locally managed DNS records and paves the way for faster connections with less latency.
Typically, webmasters use the host file to test websites before modifying the actual DNS records at the domain registrar. However, malware could write fake entries to your computer’s local host file. This way, even the correct website address resolves to a fraudulent website.
#2. Server-level Pharming
What happened to a single user can also be done to an entire server.
This is termed DNS poisoning or DNS spoofing, or DNS hijacking. Since this occurs at a server level, the victims can be hundreds or thousands, if not more.
The target DNS servers are generally harder to control and are a risky maneuver. But if done, the rewards are exponentially higher for cybercriminals.
Server-level pharming is done by physically hijacking DNS servers or man-in-the-middle (MITM) attacks.
The latter is a software manipulation between a user and the DNS server or between DNS servers and authoritative DNS nameservers.
In addition, a hacker could change the DNS settings of your Wi-Fi router, which is known as local DNS positioning.
Documented Pharming Attacks
A user-level pharming attack often remains hidden and is scarcely reported. Even if registered, this hardly makes it to the news outlets.
Moreover, the sophistication of the server-level attacks also makes them tough to notice unless the cybercriminals wipe out a substantial amount of money, affecting many people.
Let’s check a few to see how it worked in real life.
#1. Curve Finance
Curve Finance is a cryptocurrency exchange platform that suffered a DNS poisoning attack on 9th August 2022.
Behind the scenes, it was a classic DNS cache poisoning attack with iwantmyname (Curve’s DNS provider) shared status report (as in the Curve’s tweet) talking about the possible reasons.
This attack sent Curve’s users to a fraudulent lookalike, causing losses of over $550k.
#2. MyEtherWallet
24th April 2018 was a black day for some of the MyEtherWallet users. This is a free and open-source Ethereum (a cryptocurrency) wallet with robust security protocols.
Despite all the goodness, the experience left a bitter taste in the mouths of its users with a net $17 million theft.
Technically, BGP Hijacking was pulled off on Amazon Route 53 DNS service–used by MyEtherWallet–which redirected some of its users to a phishing replica. They entered their login details, which gave the criminals access to their cryptocurrency wallets, causing the abrupt financial drainage.
However, a glaring mistake on the user’s end was ignoring the browser’s SSL warning.
MyEtherWallet official statement regarding the scam.
#3. Major Banks
Back in 2007, users of almost 50 banks were targeted by pharming attacks resulting in an unknown amount of losses.
This classic DNS compromise sent users to malicious websites even when they entered the official URLs.
However, it all started with the victims visiting a malicious website that downloaded a trojan because of a Windows vulnerability (now patched).
Subsequently, the virus asked the users to turn off the antivirus, firewalls, etc.
Afterward, the users were sent to parody websites of leading financial institutions across the USA, Europe, and the Asia-pacific. There are more such events, but they operate similarly.
Signs of Pharming
Pharming essentially gives full control of your infected online accounts to the threat actor. It can be your Facebook profile, online banking account, etc.
If you’re a victim, you’ll see unaccounted-for activity. It can be a post, a transaction, or as little as a funny change in your profile picture.
Ultimately, you should start with the remedy if there is anything that you don’t remember doing.
How to Prevent Against Pharming Attack
Based on the attack type (user or server level) you’re subjected to, there are a few ways to protect.
Since the server-level implementation is not the scope of this article, we’ll focus on what you can do as an end-user.
#1. Use a Premium Antivirus
A good antivirus is half the work done. This helps you stay protected from most rogue links, malicious downloads, and scam websites. Although there is a free antivirus for your PC, the paid ones generally perform better.
#2. Set a Strong Router Password
Wi-Fi routers can also act as a mini DNS servers. Consequently, their safety is crucial, and it starts with changing the default passwords.
#3. Choose a Reputable ISP
For most of us, internet service providers also act as DNS servers. And based on my experience, ISP’s DNS gives a small speed boost compared to free public DNS services such as Google Public DNS. However, it’s important to pick the best available ISP for not only the speeds but the overall security.
#4. Use a Custom DNS Server
Switching to a different DNS server is not difficult or uncommon. You can use free public DNS from OpenDNS, Cloudflare, Google, etc. However, the important thing is that the DNS provider can see your web activity. So, you should be vigilant to whom you’re giving access to your web activity.
#5. Use VPN With Private DNS
Using VPN puts many security layers, including their custom DNS. This not only protects you from cybercriminals but also from ISP or government surveillance. Still, you should verify that the VPN should have encrypted DNS servers for the best possible protection.
#6. Maintain Good Cyber Hygiene
Clicking on rogue links or too-good-to-be-true adverts is one of the primary ways to be scammed. While good antivirus software does its job of alerting you, no cybersecurity tool guarantees a 100% success rate. Finally, the responsibility lies on your shoulders to safeguard yourself.
For instance, one should paste any suspicious link into search engines to see the source. In addition, we should ensure HTTPS (indicated by a padlock in the URL bar) before trusting any website.
Moreover, periodically flushing your DNS will surely help.
Beware!
Pharming attacks are age-old, but how it operates is too subtle to pinpoint. The root cause of such attacks is the native DNS insecurities, which aren’t addressed in totality.
Consequently, this isn’t always up to you. Still, the listed protections will help, especially using a VPN with encrypted DNS like ProtonVPN.