As users become wiser to traditional phishing scams, some fraudsters are abandoning the idea of “baiting” their victims entirely. Instead, they are resorting to Pharming. This method of phishing leverages cache poisoning against the domain name system (DNS), a naming system which the Internet uses to convert alphabetical website names, such as “www.microsoft.com,” to numerical IP addresses so that it can locate and thereby direct visitors to computer services and devices.

In a DNS cache poisoning attack, a pharmer targets a DNS server and changes the IP address associated with an alphabetical website name. That means an attacker can redirect users to a malicious website of their choice. That is the case even if the victim enters the correct site name.

Techniques Used in Pharming

Included below are some pharming tactics identified by Panda Security:

• Malicious email code: In this variant of a pharming attack, malicious actors send out emails containing malicious code that modify host files on the recipient’s computer. Those modified host files then redirect all URLs to a website under the attackers’ control so that they can install malware or steal a victim’s information.
• Targeting the DNS server: Alternatively, malicious actors might opt to skip targeting individual users’ computers and directly go after a DNS server. This could potentially compromise millions of web users’ URL requests.

Example of Pharming Attacks

All the way back in 2014, Team Cymru revealed that it had uncovered a pharming attack in December 2013. That operation affected over 300,000 small business and home office routers based in Europe and Asia. Ultimately, the campaign used man-in-the-middle (MitM) attacks to overwrite victims’ DNS settings and redirect URL requests to sites under the attackers’ control.

A year later, Proofpoint revealed that it had detected a pharming campaign targeting primarily Brazilian users. The operation had used four distinct URLs embedded in phishing emails to prey upon owners of UTStarcom and TP-Link routers. Whenever a recipient clicked one of the URLs, the campaign sent them to a website designed to execute cross-site request forgery (CSRF) attacks on vulnerabilities in the targeted routers. Successful exploitation enabled the malicious actors to perform MitM attacks.

How to Defend Against Pharming

To protect against pharming attacks, organizations should encourage employees to enter in login credentials only on HTTPS-protected sites. Companies should also deploy anti-virus software on all corporate devices and implement virus database updates on a regular basis. Finally, they should stay on top of security upgrades issued by a trusted Internet Service Provider (ISP).