Skip to content

Digging Up the Dirt on Pharming

While phishing scams are still going strong, scammers are moving toward a more high-tech method of online fraud known as pharming.

“Pharming is ‘phishing’ without the lure,” says Scott Chasin, chief technology officer with MX Logic. In this case, the attacks are on the navigational structure of the Internet, targeting the domain name server (DNS) system that translates names such as “” into numeric IP addresses. As a result, someone who types in that Web site address will end up being hijacked to an alternate—fake—site that looks like the real thing.

Pharming can happen in several ways. A complex technique requires hacking into a DNS server to “poison” its cache, meaning to substitute the IP address of a fake look-alike site. So, when a surfer types the URL of, say, his bank, he could be redirected to the fake site transparently.

Simpler pharming attacks are done via “crimeware,” or worms, viruses, and Trojan horses that infect a computer. In some instances, these can modify the Windows host file; this file holds the names and IP addresses of frequently visited sites to help speed up Web browsing. Running current antivirus and antispam software, and using firewalls, will help prevent these infections, making it harder to get scammed.

Pharming attacks rely on the fact that while users typically authenticate themselves to a Web site, the reverse is rare. “That’s the big change that has to take place in order to get to end-to-end security for the average Internet consumer,” Chasin says.

Some institutions are moving in the right direction. Bank of America recently rolled out SiteKey, in which customers choose an image and challenge questions when they set up an online account. When the customer enters an online banking ID number, the image is displayed if the bank recognizes the customer’s computer; if it doesn’t, a challenge question is asked.

If a username and password have been stolen, the attacker’s computer won’t be recognized and so a challenge question will be asked. If a customer is not sure whether it’s the real bank site, clicking on the SiteKey button will reveal the image and phrase; otherwise, the site may be a fake.

Chasin says that industry efforts are underway to revamp the infrastructure of the ‘net to help eliminate pharming, though he says these will take years to be widely embraced.

In the meantime, there are some red flags users can look for. For example, surfers who end up at a fake site may see a warning that the site’s certificate can’t be authenticated; they may also notice that the padlock that typically appears at the bottom of secure login pages is missing.

Tools such as the Netcraft Anti-Phishing Toolbar may be effective in preventing some instances of pharming by showing that a site is not hosted where it should be, (for example, an American bank’s site hosted in Russia). But sophisticated attackers may be able to defeat these types of measures.