A recent study has revealed that 88% of organisations worldwide have suffered a DNS attack in the past year. More alarmingly, each organisation experienced seven attacks on average – at $942,000 (£836,000) per attack. One of the most common forms of attack on DNS servers is known as pharming.
Let’s explore what a pharming attack is, how they occur, and, most importantly, how you can prevent them.
What is a Pharming Attack?
A pharming attack is a type of cyberattack in which hackers install a malicious code onto your computer or server. Their goal is to automatically redirect you from the legitimate site you were attempting to access to a fraudulent website. Ultimately, they want you to enter sensitive personal data, such as usernames, passwords, and banking details, for financial gain.
Signs that you could be a victim of pharming include:
- An unsecured website: when the web address contains “http” instead of “https” in its URL, indicating that it doesn’t have SSL encryption.
- When a website doesn’t look right: if the website is a little off – especially if you’re familiar with it. This could be a sign that it’s a fraudulent copy of the site you were attempting to access.
How do Pharming Attacks work?
Pharming evolves around IP addresses and Domain Name System (DNS) servers. Although we type in alphanumeric URLs to access sites, as they’re easier to remember, a DNS server stores website addresses as numerical IP addresses. You can think of a DNS as an online directory that translates website URLs into IP addresses. Your web browser then connects to the site’s server with this IP address.
There are two types of pharming attacks: malware-based pharming and DNS-based pharming.
Malware-based Pharming
This sees a cybercriminal infect your device with malware known as a DNS hijacker, typically through a Trojan Horse or virus via a malicious email link or a software download. The malware then changes your local host file, which contains several IP addresses, to redirect you to fraudulent websites under their control.
DNS-based Pharming
Also known as DNS spoofing or DNS poisoning, this type of pharming targets the software that controls DNS servers to redirect you to malicious sites. The cyberattacker will corrupt the DNS table, which stores the web addresses and their corresponding IP addresses. The DNS server will then redirect you to a fraudulent site without you realising it.
Worse still, the fake IP address will be stored in your DNS cache: a local copy of your DNS requests, i.e., the sites you connect to, making it quicker to access them. This means you’ll still be redirected to the fraudulent site without even having to communicate with the corrupted DNS server.
What makes DNS-based pharming especially dangerous is that it’s used to target large groups of potential victims, as opposed to malware which targets individuals. Subsequently, targets of this type of pharming attacks are organisations that maintain DNS servers.
How is Pharming different from Phishing?
If you’re familiar with phishing, or spear phishing, you could be thinking that pharming sounds similar, and you’d you’re correct as they have some common aspects. What’s more, pharming is often categorised as a form of phishing. That said, there are some key differences between them. Firstly, phishing has an enticement aspect: it requires capturing the victim’s attention with an email headline and convincing them to click on the fraudulent link contained within. In contrast, a pharming attack can occur without the victim’s knowledge or involvement.
Secondly, while phishing involves sending emails to potential victims in hacking into DNS servers, pharming requires more research and work on the part of the cybercriminal. However, the rewards from their efforts can be far greater, as they can reach – and defraud – a larger group of people in one fell swoop.
How to prevent a Pharming Attack
Fortunately, there are several ways to prevent pharming, which include:
1. Avoiding unsecure websites
First and foremost, stay away from unsecured websites that cybercriminals could potentially use to extract your personal data. This involves double-checking website addresses for typos and paying attention when your browser advises that a site is unsecured.
2. Being cautious when clicking links or opening attachments
Exercising extra care when clicking through on links in emails, opening attachments, or downloading software (especially when it’s free). This is particularly important when the email is from an unfamiliar person or company.
3. Select a reputable Internet Service Provider (ISP)
A security-conscious ISP will filter out suspicious website redirects for you. This helps to ensure that you’ll never connect to a pharming site.
4. Changing the default settings on your Wi-Fi routers
Changing the default usernames and passwords on your routers helps prevent DNS poisoning. Similarly, enable automatic firmware updates on your routers to increase their security settings.
5. Installing reliable Antivirus Software
As with many other cyber threats, you can help prevent pharming by employing a robust antivirus solution. Better still, good antivirus software will provide regular updates to keep in step with the evolving methods used by cybercriminals.
6. Enable Two-Factor Authentication (2FA) on websites
Whenever possible, enable two-factor authentication on web-based services you frequently use – especially if they contain financial information. That way, if a cybercriminal does manage to get hold of your information, your accounts will be difficult to hack.
To further discuss how you can prevent pharming attacks, or if you suspect you’re the victim of pharming, contact us at RiskXchange.