Harvesting Your Details
So what exactly is pharming? In short, this is the criminal act of producing a fake website and redirecting the victims to it. The website could be anything from a reasonably popular online shopping store, to one of the well-known high street banks. The victim, unaware that the web site is fake, as the front end apes the real thing, even down to the small print at the bottom of the page, will login with their details.
After the user has logged in several options are available to the ‘pharmer’. They can collect the username and login details and simply leave the victim with a blank web page; this is usually a method used by an amateur pharmer or those who want a quick username and password grab before disappearing into the darkened corners of the internet. Otherwise, they can redirect the victim to the real site where they need to enter their login details again. The latter is a more convincing method of pharming, as the victim rarely questions why the bank has asked for their login credentials twice; they often put this down to a mistaken entry on their part.
Either way, the pharmer now has a considerable list of valid usernames and passwords for the bank or online shop they faked, which they can then sell via the Dark Web or use themselves. How do they, the pharmers, get away with being able to do this? Interestingly, there are several ways in which someone can fake a legitimate website.
DNS cache poisoning is the primary method of creating a fake website with the view to setup a pharming scam. This involves the criminal attacking the Internet naming system, which is responsible for creating readable names for websites, such as www.ebay.com and so on, rather than a string of numbers in the form of the IP address, such as www.22.214.171.124 or similar. The internet naming system relies on DNS servers to provide the conversion between IP addresses and readable web site names.
The attacker can mount an attack on the DNS cache, thus changing the way in which traffic moves on the Internet. Effectively, instead of the user’s request to go to www.ebay.com, they’re taken to the attacker’s fake website instead. Thankfully, these kind of attacks generally don’t last for long, as the DNS cache is monitored frequently by many different engineers and companies.
Fake naming relies on the attacker seconding their pharming attempts with a phishing email. The email can look legitimate and contain relevant information about the person in general. There’s often a link at the bottom that although is spelt correctly in the email, is in actual fact a hyperlink to a pharming website that’s similar to the real thing but spelt somewhat differently.
For example, the email could say ‘your overdraft is nearing its limit, please login to www.bank.com to transfer funds…’ The www.bank.com part is correct, but the hyperlink and the resulting website may be taking you to www.bnak.com, which although subtly misspelt is often difficult to miss when you’re concentrating on the website content.
Hosts File Manipulation
One method that’s more difficult to pull off, though if successful is remarkably effective, is to alter the victim’s Hosts file on their computer. The Hosts file is located in C:\Windows\System32\drivers\etc\hosts on Windows computers, /private/etc/hosts on macOS, and /etc/hosts on Linux computers.
Its function is to map hostnames to IP addresses, translating the readable websites to IP addresses on a local network. However, it can also be used to circumvent the Internet lookup of a legitimate web site, redirecting you to a fake one. It’s not often that the Hosts file can be altered, as it’s a system file that requires elevated permission in order to edit, but a cleverly written virus can do the trick.
Defend Against Pharming Attacks
So how can we be prepared for pharming attacks and combat them so we don’t become victims?
Step 1 – Always make sure that the website you’re visiting is the real one. Double check that the name in the address bar of the browser you’re using has the correct spelling and that other elements of the site are correctly positioned and the logo of the site you’re at is the most recent.
Step 2 – Never follow a random email’s hyperlinks. Most banks will never send a threatening email anyway but if you’re tempted to, hover over the link and check that the translated address matches the real web site name of the bank, for example.
Step 3 – Always make sure that you have a good antivirus program installed and that it’s up to date. A decent AV will stop any attempts by someone wanting to alter your Hosts file. If possible, you can make a backup of your Hosts file and occasionally restore it if you want to.
Step 4 – Make sure that the web address you’re using has the HTTPS protocol before the actual address of the site. HTTPS is the secure version of HTTP, thus providing authentication of the genuine website. In fact, it’s a good ideal to always use HTTPS for every site you visit.