Pharming attacks are sophisticated cyber-attacks that consist of a combination of phishing, malware and DNS poisoning. In a previous blog article, Pharming: how to identify it, impacts & risks, we discussed an early Pharming attack that involved compromising an end user’s internet router. This article focusses on an alternative Pharming method relating to the compromise of the end user’s PC
DNS (Domain Name System) translates domain names into IP addresses. The domain name is an easy way for users to remember a website using the English language, rather than having to remember the numbers of the IP address. The end users PC will use DNS to replace the domain name (words) of the website with the actual IP address (numbers), so that the particular website can be accessed. Compromising DNS based on any method is referred to as “poisoning”.
Conducting a Pharming attack by compromising an end user’s PC involves making changes to the PCs hosts file. The purpose of changing the hosts file is to fool the PC into sending specific website traffic to an illegitimate website. By default the hosts file is empty as the PC uses the DNS to resolve all requests from the browser for the websites entered into the URL address bar. By adding entries into the hosts file for specific domain names ie websites, web traffic can be redirected for those specific domain names entered into the hosts file. For example, the legitimate DNS server will resolve “mybank.com” to the IP address of 184.108.40.206. The changed hosts file will have an entry for “mybank.com” as 220.127.116.11. In this scenario, the browser URL address bar still shows “mybank.com” but all web traffic is redirected to the poisoned IP address of 18.104.22.168.
The poisoned IP address of 22.214.171.124 is configured on a malicious website that hosts phishing content. When the end user attempts to visit “mybank.com” their internet browser (Internet Explorer, Firefox, Chrome etc) will interpret the domain name as per the hosts file and will direct all traffic through the malicious IP address of 126.96.36.199 which in turn will mean all banking credentials entered into the site will be sent through to the hacker in charge of the server.
Pharming attacks are generally restricted by region e.g. just Australia not worldwide. If you are in Australia it is not common for you to visit an overseas banking website. Hackers will not target all regions, because there is a higher risk of detection. IP restrictions mean that if you access a site from Australia, you can access mybank.com, however, if you access the same IP from Brazil or the US, the browser will produce an error 404 as website is unreachable..
Typically the attack starts with Malware distribution via email, intended to infect the end user’s PC. Once the machine is infected, the hosts file is changed and includes additional entries.
How can you detect Pharming?
Web browsers do not warn you that you have been redirected to phishing web page, as indications from the browser show that it is the valid domain.
The most effective method to overcome this issue is to install AntiVirus software.