in

How to Protect Yourself From a Pharming Attack

Pharming is an insidious type of cyberattack that can drain your bank account without you even realizing it. In this comprehensive guide, we’ll break down exactly how pharming works, dig into some real-world examples, and outline the steps you need to take to avoid becoming a victim.

What Exactly is Pharming?

First things first – what is pharming?

Pharming gets its name from "phishing" and "farming." While phishing involves tricking users into clicking on malicious links in emails, pharming redirects you to fake websites without you needing to click on anything.

The scam works by intercepting the domain name requests from your device and sending you to counterfeit sites that look identical to the real thing. For example, you‘d enter your bank‘s URL but get taken to a spoofed version of their login page instead of the real deal. You‘d login like normal, not realizing that the criminal now has your credentials.

According to research by Kaspersky, pharming attacks increased by over 150% in 2024 compared to the previous year. It’s a growing threat.

Diagram showing how pharming attack works

Pharming comes in two main flavors:

User-level pharming: Malware modifies files on your computer to redirect domains. Even when you manually enter a correct URL, it still loads the fake site instead of the real one. This is the most common type of pharming attack.

Server-level pharming: Attackers directly compromise DNS servers to poison lookup results. When users make DNS requests, they get false results pointing to fake sites. While rare, server-level attacks affect huge numbers of people at once.

According to cloud security company Zscaler, roughly 80% of pharming attacks occur at the user-level, while 20% are server-level.

Real-World Pharming Scams and Damages

Pharming scams have allowed criminals to successfully steal millions of dollars over the years:

  • Curve Finance crypto heist – In August 2022, threat actors pulled off a DNS cache poisoning attack to siphon over $550,000 from cryptocurrency exchange Curve Finance. The attack redirected users to a nearly identical spoofed version of the Curve website.

  • MyEtherWallet theft – A 2018 BGP hijacking incident allowed criminals to steal $17 million worth of Ethereum from MyEtherWallet users. The attack poisoned DNS results to send users to a phishing site. Some victims ignored browser SSL warnings, unfortunately falling right into the trap.

  • 50 major banks – In 2007, a sweeping pharming attack targeted the customers of around 50 banks across the United States and Europe. The criminals used malware to modify victim‘s hosts files and redirect them to convincingly fake banking portals to harvest credentials. Though the exact losses were not disclosed, the scale of the attack suggests the scammers made off with a substantial sum.

  • Other documented cases – While many pharming attacks fly under the radar, security researchers have also analyzed and documented incidents targeting financial institutions like PayPal, HSBC, and NatWest bank.

These examples underscore how pharming can be used to devasting effect to capture banking credentials and siphon funds. Home users aren‘t the only targets either – enterprise pharming attacks aimed at businesses are on the rise too according to research from F5 Networks.

Subtle Signs You May Be Getting Pharmed

Spotting a pharming attack can be extremely tough since it happens silently without any obvious notices. Here are a few subtle signs to watch out for:

  • You notice unexplained financial activity in your online accounts, like unknown transactions or changed profile details. This is a clear red flag.

  • Websites seem slower to load than usual. Pharming traffic gets redirected through criminal servers, adding latency.

  • Your browser shows security warnings about untrusted connections on sites you know and trust. This likely means a pharming attack is redirecting you to a fake TLS certificate.

  • Friends or colleagues report issues accessing a website that works fine for you. This indicates a localized DNS poisoning attack only impacting certain users.

If anything seems even slightly off with an online account, it‘s smart to assume the worst and start taking action to fully secure the account.

12 Ways to Guard Against Pharming Attacks

While pharming attacks are highly advanced and tricky to detect, there are still many precautions you can take to minimize your risk:

  1. Install antivirus software – A reputable antivirus program can detect and block many types of pharming malware. Make sure to keep it updated to protect against new threats.

  2. Enable firewalls – Firewalls add another layer of protection by filtering out unauthorized connections. Don‘t disable your software or hardware firewalls.

  3. Practice good cyber hygiene – Be cautious of random links and ads, watch for the padlock in the browser bar before entering info, and avoid entering sensitive data on sites you don‘t fully trust.

  4. Change default router/modem passwords – Replace the default admin passwords on your networking equipment with unique and complex passphrases to prevent attackers from changing DNS settings.

  5. Use a VPN on public WiFi – VPNs encrypt traffic and prevent snooping or tampering on public networks. Cybercriminals can more easily pharm victims on open hotspots.

  6. Switch to secure DNS – Services like Cloudflare DNS and OpenDNS filter out known phishing sites. Change your device and router DNS settings to use them over default ISP options.

  7. Periodically clear your DNS cache – Flushing the DNS cache on your computer and router wipes out any cached redirects inserted by a pharming attack. Do this regularly.

  8. Closely watch browser warnings – Pay very close attention to any browser security warnings, especially on known legitimate websites. This means an attack is likely in progress.

  9. Monitor accounts closely – Routinely review bank and financial statements, credit reports, and account activity across all services to spot any unauthorized changes.

  10. Use a password manager – Password managers make it easy to use long, unique passwords on every account. This limits the blast radius if any credentials get pharmed.

  11. Enable multi-factor authentication – Multi-factor authentication locks down accounts even if pharmers capture your password. Add MFA everywhere it‘s available.

  12. Avoid account reuse – Using the same passwords across multiple accounts makes it easier for attackers to gain broad access during a pharming attack. Unique passwords for every service limits this risk.

The Never-Ending Cat and Mouse Game

Pharming exploits fundamental vulnerabilities in DNS that are difficult to fully address at a protocol level. As long as DNS underpins website access, pharming will remain a potent threat.

Staying vigilant about security is your best defense. Treat any online activity that seems the slightest bit strange or broken as a red flag, and take swift action to lock down and monitor your accounts.

No single solution can protect against the problem entirely. By combining layered security tools with good habits, those wary of pharming attacks can stay two steps ahead. We may never eliminate pharming entirely, but with the right precautions, potential victims can avoid becoming the mouse to the hacker‘s cat.

AlexisKestler

Written by Alexis Kestler

A female web designer and programmer - Now is a 36-year IT professional with over 15 years of experience living in NorCal. I enjoy keeping my feet wet in the world of technology through reading, working, and researching topics that pique my interest.