Pharming is a scam method spread through the Internet. It is based on manipulating the DNS queries of web browsers (for example, through DNS spoofing) in order to redirect the user to fake websites. It is an evolution of classic phishing.
Pharming has established itself as an umbrella term for various types of DNS attacks. One method to do this is to manipulate the host file locally. With the help of a Trojan horse or a virus, a targeted manipulation of the system is carried out with the consequence that fake websites are displayed by this system, even though the address has been entered correctly. For example, users can be directed to deceptively realistic pages of a bank.
Technical Background
To resolve an alphanumeric URL (Internet address) to an IP address, the operating system usually contacts a DNS server. However, each operating system also has an internal list for this, e.g. the “hosts” file. Before contacting a DNS server, the operating system first looks at the hosts file to see if the name (or Internet address) is already listed. If so, there is no need to contact the DNS server.
---
In pharming, corrupted DNS servers, DNS flooding (a computer is suggested an address resolution “on suspicion” even before it has queried it from the real DNS server) or, most simply, addresses manipulated by malware in the operating system’s local hosts file, redirect the call to a website from banks and the like to another server.
Thus, despite having the correct URL, the user ends up on the wrong page without realizing it. This method, like phishing, only reaches a limited number of recipients, despite the usual sending of the Trojan with mass mailings.
The aim of these actions is usually to steal credit card details or similar security-related or confidential information (e.g. from online consultations).
Especially in the case of targeted attacks on individuals, this form is also used by illegally operating credit agencies. They create complex profiles about the respective target person. Clients use the information obtained for risk assessments for insurance, staffing, lending, etc.
Illustration by: thesecuritybuddy.com/phishing/what-is-pharming-and-how-to-prevent-it/
Ways to Discover Pharming
Since pharming attacks usually take place on DNS caches or individual hosts close to the client, it helps to query DNS servers from different networks. If the answer matches, it is very likely that there is no pharming attack.
Furthermore, by querying the IP address in a WHOIS database, the location as well as a description of the provider and the blacklisting status can be determined.
If purchases or banking are made via the web, the site must be “secure”, i.e. the address must start with. If data is transmitted via https, the server must authenticate itself, whereby a certificate is exchanged. The certificate must not be signed by the server itself (recognizable by browser warning). Certificates signed by a trusted third party (Certification Authority) are usually automatically accepted by the browser. Many users are susceptible to this because they ignore or do not take such warnings seriously.
A at the beginning of the URL does not guarantee a secure connection until the certificate is genuine.
