Beware of Pharming

January 12, 2021

The Internet is an extremely broad field that increasingly surprises us with its evolution. Its utility has benefited generations in routine activities where tons of processes were previously needed. Despite its wonders, it comes with downsides where a range of computer engineering techniques are developed daily to take advantage of the vulnerabilities of people, companies, and their employees.

In this article, we will focus on explaining a modern form of attack that could affect anyone within a company, where all are important preys.

If you inadvertently click on a mistrustful internet link or connect to an online account without ensuring the authenticity of the website, you may become a victim of an attack. Although users have become more careful about opening links in emails, attackers are constantly trying new methods, such as pharming.

Considered an evolution of phishing, pharming is a type of attack that consists of redirecting a user's requests to fraudulent websites. To host them, attackers operate huge "server farms," hence the name for this form of fraud. Its name spelling "ph" is borrowed from jargon in hacker circles.

How does pharming work?

The redirection of the user's request is done by manipulating the DNS protocol. The protocol converts the hostname (URL) to a numeric IP address. This conversion process offers criminals two points of attack to divert the allocation.

  1. Attack on the host's file - When requesting a website, the computer first calls the local host file to check if the site has ever been visited and if the corresponding IP address is already known. Attackers use this query for their purposes. They install malware on the computer, for example, via virus-infected email attachments or Trojans on websites. They also manipulate the stored IP addresses to redirect requests to the desired fraudulent site.
  2. Attack on the DNS server - Another more elaborate pharming method directly infects the DNS server where the IP address is queried after a user has entered a URL. Even if no malware is installed on the computer, the attack takes place.Technically, the attack takes place through a so-called DNS flood. Through this, an address resolution is suggested to the server even before it can make the correct assignment.

The difference between phishing and pharming:

In phishing, attackers take advantage of the good faith of email users, using social engineering methods. Users receive emails that, at first glance, provide plausible reasons to share the data, for example, to verify their account or to accept new terms and conditions.

In pharming, the attack is not carried out through email communication, but already in the browser. It is not necessary to infiltrate any type of malware in the victim's computer.

However, the result can be identical in both cases: the user inadvertently sends confidential information to the scammers, who use it for financial gain.

As we can see it has certain similarities with phishing. However, in this case, pharming is more sophisticated since it can generate a wider network and affect more users in a short period of time, targeting the entire company.

Although compared to phishing, pharming has a different modus operandi, and it is more difficult to detect because it is not just a fake link that we receive. In both cases, the victim would not be able to recognize, at least initially, a false page.

What negative effects does pharming bring to companies?

Every business should consider the negative impact of pharming and take its growing threat seriously. A data breach caused by pharming can have serious consequences for businesses, including devastating monetary losses and disruption of their normal operations.

Any work stoppage will result in even more negative financial repercussions and will negatively affect employee morale and efficiency.

Furthermore, there is nothing more valuable to companies than their confidential, internal, and customer data. If these are compromised, your operations and reputation will suffer. As a result, the company will lose current customers and have a harder time attracting new ones.

The National Cybersecurity Alliance disturbingly reported that up to 60% of small and medium-sized businesses that suffer a significant cyberattack will close within six months.

Tips to Protect Against Pharming

People who wish to protect themselves from pharming cannot take specific measures for each method. It is recommended to follow the same security tips that can also protect against many other cyberattacks.

  • Antivirus and antimalware software - Use daily updated antivirus and antimalware software to detect current threats in emails and websites that could infect the host file.
  • Suspicious email attachments - Do not open email attachments from unknown senders or those you suspect for other reasons (the subject is suspicious or the sender does not usually write emails of this type, etc.).
  • Secure websites - When visiting a bank or online payment provider's page, make sure the URL is marked as secure with HTTPS. A padlock symbol should appear in the address bar. By clicking on it, information about the website's security certificate and its validity will appear. Certificate warnings should be taken seriously, if an alert appears, the website should be closed immediately.  
  • Suspicious websites - For unknown websites: In the links, check which URLs are saved, and avoid visiting dubious websites.
  • Administrator rights - The administrator profile settings must be configured to "limited", to make it difficult for attackers to make changes to the host file of computers. 
  • Common sense - Finally, although in many cases the most important thing, common sense. Malware-based pharming attacks can arrive via email with a malicious file attached, for example.
  • Keep equipment updated - Sometimes hackers, to carry out these attacks, rely on vulnerabilities that are in the computers. Therefore, we must always keep the systems and all the tools that we are using updated with the latest versions.
  • Check that the site is encrypted - In general, the fake pages that are used to steal information are not encrypted and it can be an indicative sign of the problem we are facing. Check that the site is encrypted correctly.
  • Protect accounts online - A complex and secure password will be essential to protect our accounts and records on the Internet. They must be unique-typed keys that we are not using anywhere else that include letters (upper and lower case), numbers, and other special symbols. All this in a random way. 

Additionally, create an extra security barrier by activating a two-step authentication.

Conclusion:

All people should be aware of these techniques to prevent hackers from accessing business accounts, using the data, or selling it on the black market. Common sense and the support of a cybersecurity company will allow you to face risks, avoiding being cornered by criminals. 

THETA432 is committed to studying these attacks and fighting them for you. We will keep you informed on what is happening and will establish the best plans and strategies to safeguard the security of your information and systems. Do not wait until it is too late! Request an evaluation today and see why we are your best alternative!

Sources:

  • Jiménez, J. (2020, November 03). Pharming: qué es y cómo te afecta esta amenaza de seguridad. Retrieved from: https://www.redeszone.net/tutoriales/seguridad/pharming-evitar-ataques/
  • Digital Guide Ionos. (2020, February 11). ¿Qué es el Pharming? Retrieved from: https://www.ionos.mx/digitalguide/correo-electronico/seguridad-correo-electronico/que-es-el-pharming/

Authored by
Jorge Daniel Tejeda