Just imagine: You enter the address of your bank in your browser and use the website as usual. But you haven’t noticed something crucial. Instead of the real website, you have landed on a deceptively real fake. This is exactly what happens in a pharming attack: cyber criminals manipulate the mechanisms of the internet unnoticed in order to redirect users to malicious sites.
The most dangerous part? Pharming goes unnoticed – you don’t realise until it’s too late. But with the right knowledge and the right security measures, you can effectively protect yourself against this threat. A reliable security tool like Avira Free Security not only offers real-time protection against viruses and malware, but also integrated phishing protection for your browser. This ensures your online security and allows you to surf the Internet with peace of mind.
What is pharming?
Pharming is one of the most insidious forms of online fraud. Users are unknowingly redirected to counterfeit websites. Cybercriminals achieve this by manipulating either the DNS entries (Domain Name System) or the local host files of a device to redirect traffic.
The term “pharming” is a combination of the English words “phishing” (referring to fishing) and “farming” (agriculture). This hybrid method allows hackers to target as large an area as possible.
Why is pharming so dangerous?
Unlike more well-known attack methods like phishing, which require active deception, pharming happens in the background through the manipulation of technical systems—users often don’t notice it.
They are redirected to fake websites that look deceptively real, where they enter passwords, banking details, or other personal information.
Even if you type the correct URL into your browser, this offers no protection: it’s not the real website that has been hacked, but the underlying infrastructure that connects your browser to the website has been manipulated.
- Discreet: Pharming attacks happen in the background, without users noticing.
- Effective: Even technically savvy users can fall victim, as the fake websites often look convincingly real.
- Systematic: A manipulated DNS system, responsible for translating web addresses, can redirect many users to fake websites at once.
Pharming vs. phishing: What’s the difference?
Phishing and pharming pursue similar goals, but their methods are fundamentally different:
| Phishing | Pharming |
| Manipulates users into taking action with fake messages or emails. | Manipulates technical systems such as DNS or host files. |
| Objective: To persuade users to enter their data. | Objective: Passively intercept data traffic. |
| Based on social engineering. | Interferes with the system infrastructure. |
Phishing requires active interaction from the user, while pharming works in the background and is difficult to recognize.
How does pharming work?
Pharming attacks rely on manipulating the Domain Name System (DNS) or the host files of a device. The DNS is responsible for translating domain names like “www.avira.com” into the corresponding IP addresses that computers understand. The host file works similarly to DNS but is stored locally on your computer.
When you enter a website address in your browser, the conversion happens automatically through the DNS server. This is where cybercriminals exploit pharming attacks: they alter the translation in their favour, like a corrupt game of “Chinese whispers.”
As a result of this fraudulent interference, you are redirected to a fake website designed to steal your personal information, such as account details or passwords.
What are the different types of pharming?
Pharming comes in various forms. The attacks can be divided into two main categories: DNS-based pharming and host-based pharming.
Attackers typically use one of the following methods to achieve their goals:
DNS-based pharming: DNS cache poisoning
In DNS cache poisoning, attackers manipulate the DNS cache of a server or router to redirect you to a fake website. DNS poisoning is also known as DNS spoofing (not to be confused with IP spoofing).
Here’s how it works in practice: The affected DNS server stores manipulated entries in its cache, so legitimate requests are redirected to fraudulent IP addresses. This means your data is at risk – even if your device is well-maintained and not infected with malware.
What makes this method particularly sneaky is that the attack targets the DNS resolver.
The DNS resolver acts as the intermediary between your device and the DNS system. When you enter a web address in your browser, the request passes through the resolver, which finds the IP address for the domain. The process looks like this:
- Send request: You enter a URL, and your device sends a request to the DNS resolver to retrieve the corresponding IP address.
- Cache query: The resolver first checks if the IP address is already stored in the cache (from previous requests).
- External query: If the address is not in the cache, the resolver forwards the request to other DNS servers until the IP address is found.
- Provide response: The resolver sends the IP address back to your device, allowing the website to load.
What this means is that even if you enter the correct URL, the server delivers a manipulated IP address from the cache. You are then unknowingly redirected to a fake website.
Further examples of DNS-based attacks include:
- DNS Server Compromise: Cybercriminals gain unauthorized access to DNS servers and take full control of them. They then alter the DNS settings so that the domains they choose lead to incorrect IP addresses.
- DNS Hijacking: In this case, attackers manipulate the DNS settings on your router or on devices such as computers, smartphones, or tablets to redirect requests to fraudulent DNS servers. These servers provide fake IP addresses and redirect users to malicious sites.
| Attack type | Attack level | Duration of the manipulation | Result |
| DNS cache poisoning | DNS cache of a server | Temporary (until cache expires)
| Individual users are redirected for legitimate requests.
|
| DNS server compromise
| DNS server itself
| Permanent (until changes are cancelled)
| All users of the server end up on incorrect IPs.
|
| DNS hijacking
| Router or device
| Permanent (until settings are corrected)
| Users in the network are redirected to manipulated DNS servers. |
Malware-based pharming: Host file manipulation
In host file manipulation, attackers exploit a vulnerability in the local host file of your computer, which directly translates domain names into IP addresses. Hackers alter this file to redirect legitimate websites to fraudulent IP addresses.
What is the Host file?
The host file is a local file on your computer that translates domain names directly into IP addresses. It works similarly to a DNS system and is used by your device to locate websites.
How does Host file manipulation work?
Hackers modify the host file to redirect legitimate websites to fraudulent IP addresses. Unlike DNS spoofing, this method targets your device directly. Attackers often use malware to achieve this.
How do attackers spread the malware?
The manipulation is often carried out through malware such as computer viruses, Trojans, or keyloggers. This malicious software frequently enters the device via infected emails or downloads, making unauthorized changes to the host file without detection.
Why is this method so dangerous?
Once manipulated, the changes remain active even if you switch networks. Since the attacks occur locally on your device, they are independent of external servers and especially difficult to detect.
How can you protect yourself?
Regular security checks and the use of antivirus software, such as Avira Free Security, can help identify and prevent such manipulations.
Examples of Pharming Attacks
Pharming is not a theoretical risk but has been used in several large-scale attacks in the past.
- DNSChanger malware (2007–2011): This campaign used manipulated DNS settings to redirect millions of users to fake websites. Once there, users were overwhelmed with countless ads. The goal was to generate advertising revenue and steal data. The perpetrators were only caught years later, having stolen $14 million. Due to the scale of the attack, the malicious servers couldn’t simply be shut down; they had to be painstakingly replaced with FBI servers to ensure infected users weren’t cut off from the internet.
- Brazil attack (2017): In this pharming attack, hackers compromised the DNS servers of a major Brazilian bank, redirecting customers to convincingly fake websites. The attackers gained access to sensitive customer data, leading to financial losses amounting to millions of dollars. The attack affected all 36 domains of the bank, highlighting the massive danger posed by compromised DNS infrastructures.
- Pharming attack in Venezuela (2019): In this case, a fake website was created that closely resembled the official site of the “Voluntarios por Venezuela” movement. This led to a massive theft of personal information.
Signs of a pharming attack
Pharming attacks are difficult to detect as they occur in the background. However, there are some typical warning signs to watch out for:
- Suspicious URLs: Look for spelling mistakes, unexpected subdomains, or special characters in the address bar.
- Unusual Content on a Known Website: Changes in layout, missing logos, or suspicious prompts to enter personal information can be signs of a pharming attack.
- Unsolicited Emails or SMS: Links in these messages could lead you to manipulated websites.
- SSL Certificate Errors: If you suddenly see warnings about invalid certificates on a trusted website, it could be a sign of pharming.
- Unexpected Redirects: If you are redirected to a different page than expected, it could indicate DNS manipulation.
- Network Issues: Fraudulent websites often load slower than genuine ones. Sudden internet problems or slow connections might point to manipulated DNS settings.
- Suspicious Account Activity: Unexplained transactions or other unusual activity could suggest your login details have been compromised.
If you notice such signs, you should immediately disconnect your internet connection and check your DNS settings.
To do this, go to the network settings on your computer or smartphone and check if there are any unusual entries in the DNS servers.
If you’re unsure whether these addresses are correct, you can reset the DNS settings to “Obtain automatically” or enter secure DNS servers such as Google DNS (8.8.8.8) or Cloudflare DNS (1.1.1.1).
How to protect yourself from pharming?
To protect yourself from pharming, targeted measures are necessary. It’s not enough to just be cautious – technical precautions also play a crucial role. Below are steps you can take to secure your devices and adjust your online behavior. This will effectively reduce the risk of falling victim to a pharming attack.
Technical protection measures
- Change the default passwords of your router and regularly update the firmware.
- Enable the firewall on your devices.
Practical tips
- Do not enter sensitive data if the website looks suspicious.
- Check the website’s security by looking for the HTTPS symbol in the address bar.
- Avoid using public Wi-Fi networks for banking or online shopping.
- Regularly review the security settings on your devices.
Conclusion: Stay vigilant and surf securely
Pharming is a silent yet serious threat to your online security. With the right knowledge and appropriate measures, you can effectively protect yourself and your data. Tools like Avira Free Security can help block malware and detect suspicious activities.