What Is Pharming and How to Protect Yourself From It?
You could argue that there are a few significant similarities between pharming and phishing. In fact, many could confuse the two terms quite easily, which isn't really a surprise given that the ultimate goal is the same – tricking unsuspecting users into visiting a malicious website and giving away their data. There is one major difference in the way the two attacks work, however, and if people want to protect themselves, they need to understand it.
How does a phishing attack work?
Most of you should be familiar with what phishing is by now, but we'll recap just in case. Let's imagine that hackers are trying to organize a phishing campaign aimed at Facebook users. They first create a malicious page that looks identical to what people see on Facebook.com, and they upload it to a server they've previously compromised.
Then, they send out some emails that use social engineering in order to convince unsuspecting users to visit the fake Facebook page. More often than not, they use scare tactics to lead people into thinking that their account security has been put at risk and that if they don't act quickly, they might lose the ability to use the world's most popular social network. Victims follow the link in the email and end up on the malicious page created by the hackers. Thinking that they're logging into their Facebook profile, they enter their credentials in the username and password fields, and they unwittingly send them to the crooks.
Phishing attacks aren't especially sophisticated, but they are effective, and that's because users simply don't pay attention to their browsers' address bars. If you are targeted by a Facebook phishing attack and you are fooled into clicking on the link in the email, all you need to do is glance at the URL in order to find out that it's not trustworthy. If you're a victim of a pharming attack, however, this won't be enough.
The difference between phishing and pharming
Let's stick with our Facebook example and see what happens if hackers decide to launch a pharming attack on the social network's users. Once again, they first need to create a carbon copy of Facebook's homepage, and they also need to host it somewhere. As we mentioned already, the idea is the same: unsuspecting victims who end up on the fake website give their credentials to the crooks because they think that they're seeing the real Facebook homepage. This time around, however, there's nothing to tell them that they aren't.
The main difference between the two types of credential theft is that in a pharming attack, users see "facebook.com" in the address bar despite the fact that they've been redirected to a page that only mimics the social network and is designed to steal their login data.
This makes the scheme much more believable. So much so, that some of you may be wondering how such a thing is even possible.
How do pharming attacks trick people out of their passwords?
Some of you might think that in the hypothetical scenario outlined above, the hackers have compromised Facebook itself and are hosting their bogus login form on Mark Zuckerberg's servers. This is not really the case. Hacking large online service providers like Facebook is extremely hard. Instead of accepting the risks associated with such an attack, the crooks fool the victims' browsers into connecting to the wrong address when the correct URL is entered. There are two ways of doing this.
They can attack individual users by compromising their hosts file – a plaintext file that is available on all major operating systems and is responsible for mapping hostnames to IP addresses. By adding just one line of text to a computer's hosts file, the crooks can ensure that when "facebook.com" is entered into the address bar, the victim is led to a completely different location. This modification is usually made by malware, and victims are given no visual indication of any of the changes, which makes this mechanism perfect for highly targeted pharming attacks.
As the name suggests, however, pharming attacks usually aren't highly targeted. In most cases, crooks want to hit a large number of people at once, and for that purpose, modifying individual hosts files is simply not a very effective approach. The hackers do have another one, though.
DNS spoofing sits at the heart of many pharming attacks, and when you learn how it works, you'll see why this type of credential theft could be much more convincing than regular phishing.
DNS stands for Domain Name System. It's as old as the World Wide Web as we know it, and it ensures that the domain you enter into the address bar of your browser leads you to the right content. DNS operates through a vast network of servers spread all around the world, and each server is responsible for the correct rerouting of a large number of users. You can probably guess what could happen if even a single one gets compromised.
By hijacking DNS servers, hackers can ensure that many users are redirected to a fake webpage when they are visiting a completely legitimate URL. In a pharming attack, the victims don't necessarily need to click any shady links, which is why the attack is sometimes referred to as "phishing without a lure." Worst of all, there's not really that much you can do to protect yourself from it.
How to stay safe?
Most security products that offer real-time protection will alert you if a malicious program is interfering with your hosts file, but suffice to say, your best bet is not to allow such a program into your computer in the first place. Security best practices apply here as much as everywhere else. Don't click random links emailed to you, keep your software up to date, and use reputable service providers only.
Unfortunately, when it comes to DNS spoofing, things are largely out of your control. Other people are in charge of protecting DNS servers, and the simple fact of the matter is that their job isn't always good enough. You, as an end user, can do little more than keep your eyes peeled and watch out for anything suspicious. Pay close attention to even minute details, and if you're not sure about everything, refrain yourself from entering your login credentials or other sensitive data.