Geekflare is supported by our audience. We may earn affiliate commissions from buying links on this site.
In Privacy Last updated: August 21, 2023
Share on:
Invicti Web Application Security Scanner – the only solution that delivers automatic verification of vulnerabilities with Proof-Based Scanning™.

A pharming attack is a sophisticated mechanism that defrauds users (mostly) without needing any ‘silly mistake’ from their side. Let’s decode this and see how to safeguard.

Imagine logging in to your online banking using a legitimate web address and getting the life savings vanished shortly after.

That’s one of the ways pharming attacks look like.

The term pharming is coined from phishing (attack) and farming đźšś.

Put simply; phishing needs you to click on a suspicious link (the silly mistake), which downloads malware resulting in financial losses. Besides, it can be an email from your ‘CEO’ asking to make an ‘urgent’ bank transfer to a ‘vendor,’ a special category scam known as whaling phishing fraud.

In a nutshell, phishing needs your active participation, while pharming attacks (in most cases) don’t.

What is Pharming Attack?

We are used to domain names (like, while machines understand IP addresses (like

When we type in a web address (domain name), it (the query) goes to the DNS servers (the phonebook of the internet), which match it to the associated IP address.

Consequently, domain names have little to do with the actual websites.

For instance, if the DNS server has matched a domain name with a non-authentic IP address hosting a spoofed website–that’s all you will see, irrespective of the ‘right’ URL you entered.

dns poisoning, pharming attack

Next, a user effortlessly hands over the details–card numbers, ID numbers, login credentials, etc.–to the parody, thinking it’s legitimate.

This makes pharming attacks dangerous.

They are extremely well made, work stealthily, and the end user knows nothing until they get ‘amount debited’ messages from their banks. Or, they get their personally identifiable information sold on the dark web.

Let’s check their modus operandi in detail.

How Does Pharming Attack Works?

These are orchestrated on two levels, with the user or an entire DNS server.

#1. User-level Pharming

This is similar to phishing, and you click a suspicious link that downloads malware. Subsequently, the host’s file (aka local DNS records) is altered, and a user visits a malicious lookalike of an original website.

A host file is a standard text file that saves locally managed DNS records and paves the way for faster connections with less latency.

Typically, webmasters use the host file to test websites before modifying the actual DNS records at the domain registrar.

However, malware could write fake entries to your computer’s local host file. This way, even the correct website address resolves to a fraudulent website.

#2. Server-level Pharming

What happened to a single user can also be done to an entire server.

This is termed DNS poisoning or DNS spoofing, or DNS hijacking. Since this occurs at a server level, the victims can be hundreds or thousands, if not more.

The target DNS servers are generally harder to control and are a risky maneuver. But if done, the rewards are exponentially higher for cybercriminals.

Server-level pharming is done by physically hijacking DNS servers or man-in-the-middle (MITM) attacks.

The latter is a software manipulation between a user and the DNS server or between DNS servers and authoritative DNS nameservers.

In addition, a hacker could change the DNS settings of your WiFi router, which is known as local DNS positioning.

Documented Pharming Attacks

A user-level pharming attack often remains hidden and is scarcely reported. Even if registered, this hardly makes it to the news outlets.

Moreover, the sophistication of the server-level attacks also makes them tough to notice unless the cybercriminals wipe out a substantial amount of money, affecting many people.

Let’s check a few to see how it worked in real life.

#1. Curve Finance

Curve Finance is a cryptocurrency exchange platform that suffered a DNS poisoning attack on 9th August 2022.

Behind the scenes, it was a classic DNS cache poisoning attack with iwantmyname (Curve’s DNS provider) shared status report (as in the Curve’s tweet) talking about the possible reasons.

This attack sent Curve’s users to a fraudulent lookalike causing losses of over $550k.

#2. MyEtherWallet

24th April 2018 was a black day for some of the MyEtherWallet users. This is a free and open-source Ethereum (a cryptocurrency) wallet with robust security protocols.

Despite all the goodness, the experience left a bitter taste in the mouths of its users with a net $17 million theft.

Technically, BGP Hijacking was pulled off on Amazon Route 53 DNS service–used by MyEtherWallet–which redirected some of its users to a phishing replica. They entered their login details which gave the criminals access to their cryptocurrency wallets causing the abrupt financial drainage.

However, a glaring mistake on the user’s end was ignoring the browser’s SSL warning.

MyEtherWallet official statement regarding the scam.

#3. Major Banks

Back in 2007, users of almost 50 banks were targeted by pharming attacks resulting in an unknown amount of losses.

This classic DNS compromise sent users to malicious websites even when they entered the official URLs.

However, it all started with the victims visiting a malicious website that downloaded a trojan because of a Windows vulnerability (now patched).

Subsequently, the virus asked the users to turn off the antivirus, firewalls, etc.

Afterward, the users were sent to parody websites of leading financial institutions across the USA, Europe, and the Asia-pacific. There are more such events, but they operate in a similar fashion.

Signs of Pharming

Pharming essentially gives full control of your infected online accounts to the threat actor. It can be your Facebook profile, online banking account, etc.

If you’re a victim, you’ll see unaccounted-for activity. It can be a post, a transaction, or as little as a funny change in your profile picture.

Ultimately, you should start with the remedy if there is anything that you don’t remember doing.

Protection Against Pharming


Based on the attack type (user or server level) you’re subjected to, there are a few ways to protect.

Since the server-level implementation is not the scope of this article, we’ll focus on what you can do as an end-user.

#1. Use a Premium Antivirus

A good antivirus is half the work done. This helps you stay protected from most rogue links, malicious downloads, and scam websites. Although there is a free antivirus for your PC, the paid ones generally perform better.

#2. Set a Strong Router Password

WiFi routers can also double as a mini DNS servers. Consequently, their safety is crucial, and it starts with doing away with the company-shipped passwords.

#3. Choose a Reputable ISP

For most of us, internet service providers also act as DNS servers. And based on my experience, ISP’s DNS gives a small speed boost compared to free public DNS services such as Google Public DNS. However, it’s important to pick the best available ISP for not only the speeds but the overall security.

#4. Use a Custom DNS Server

Switching to a different DNS server is not difficult or uncommon. You can use free public DNS from OpenDNS, Cloudflare, Google, etc. However, the important thing is that the DNS provider can see your web activity. So, you should be vigilant to whom you’re giving access to your web activity.

#5. Use VPN With Private DNS

Using VPN puts many security layers, including their custom DNS. This not only protects you from cybercriminals but also from ISP or government surveillance. Still, you should verify that the VPN should have encrypted DNS servers for the best possible protection.

#6. Maintain Good Cyber Hygiene

Clicking on rogue links or too-good-to-be-true adverts is one of the primary ways to be scammed. While good antivirus does its job of alerting you, no cybersecurity tool guarantees a 100% success rate. Finally, the responsibility lies on your shoulders to safeguard yourself.

For instance, one should paste any suspicious link into search engines to see the source. In addition, we should ensure HTTPS (indicated by a padlock in the URL bar) before trusting any website.

Moreover, periodically flushing your DNS will surely help.


Pharming attacks are age-old, but how it operates is too subtle to pinpoint. The root cause of such attacks is the native DNS insecurities which aren’t addressed in totality.

Consequently, this isn’t always up to you. Still, the listed protections will help, especially using a VPN with encrypted DNS like ProtonVPN.

While pharming is DNS based, do you know scams can be based on Bluetooth too? Jump on to this bluesnarfing 101 to check how it’s done and the way to protect yourself.

  • Hitesh Sant
    Hitesh works as a senior writer at Geekflare and dabbles in cybersecurity, productivity, games, and marketing. Besides, he holds master’s in transportation engineering. His free time is mostly about playing with his son, reading, or lying… read more
Thanks to our Sponsors
More great readings on Privacy
Power Your Business
Some of the tools and services to help your business grow.
  • Invicti uses the Proof-Based Scanning™ to automatically verify the identified vulnerabilities and generate actionable results within just hours.
    Try Invicti
  • Web scraping, residential proxy, proxy manager, web unlocker, search engine crawler, and all you need to collect web data.
    Try Brightdata
  • is an all-in-one work OS to help you manage projects, tasks, work, sales, CRM, operations, workflows, and more.
    Try Monday
  • Intruder is an online vulnerability scanner that finds cyber security weaknesses in your infrastructure, to avoid costly data breaches.
    Try Intruder