How Do Pharming Attacks Happen? (How To Protect Yourself)

Share this:

Ryan Toohil

CTO at Aura

In this article:

    Identity theft and fraud protection for your finances, personal info, and devices.

    See pricing
    Share this:

    Are You Unknowingly Being Scammed By Fake Websites?

    In 2019, the Venezuelian government launched a humanitarian campaign website which requested that volunteers provide their full names and ID numbers [*]. But less than a week later, a second website appeared that was a perfect copy of the first. 

    With a sophisticated cyberattack called pharming, hackers then made it so that anyone in Venezuela who tried to visit the legitimate site ended up on the fraudulent duplicate. Any sensitive information that was entered on the second site went directly to a group of hackers. 

    Pharming attacks like this are rare. But when they happen, they can be incredibly dangerous. 

    In probably the most famous pharming example, hackers created 50 lookalike banking websites and used a Microsoft vulnerability to redirect traffic to the hackers — stealing victims’ banking credentials without their knowledge [*].

    In this guide, we’ll explain what pharming is, how a pharming attack works, and what you can do to protect yourself from this threat.

    What Is a Pharming Attack? How Does It Happen?

    A pharming attack is a type of cybercrime that redirects web traffic from a legitimate website to a fake website designed to mimic the original. Any information that you enter on the fake website — like passwords, credit card numbers, etc. — goes straight to the hackers. 

    (The word “pharming” comes from a combination of “phishing” and “farming.”)

    Pharming attacks are dangerous for two reasons: 

    1. Scammers take an extra step to ensure that the URL of their fake website stays the same as the legitimate one. Thus, the scam happens in the background and is undetectable by most people. 
    2. Pharming attacks don’t require you to click on a malicious link (like in other phishing attacks). Instead, these “pharms” exist online, waiting for you to visit them and enter your personal information. 

    To understand how pharming works, you need to first learn a bit about what happens in your browser when you enter a website name. 

    We remember website domain names (like aura.com), but the actual “location” of a website is an Internet Protocol (IP) address stored as numbers separated by periods (like 12.345.678.90).

    When you enter a domain name in the address bar and hit enter, the request is sent to a Domain Name System (DNS) server. This server looks up the domain name (aura.com), finds the corresponding IP address (12.345.678.90), and sends it back to your computer.

    To save time, your router, computer, and internet browser may all store previously requested IP addresses in DNS caches and local host files. Pharming attacks replace the linked addresses with malicious sites so that when you enter a familiar web address, it takes you to the fake site’s IP address instead. 

    An example of how a DNS spoofing pharming attack works.
    How a DNS spoofing pharming attack works. Source: Comparitech

    There are two main types of pharming, both targeting different steps in the DNS resolution process:

    • Malware-based pharming, also known as DNS changers or DNS hijackers, are pieces of malicious code that alter the hosts file or DNS cache in the victim’s computer. Once the malware has infected the system (usually via a Trojan), it modifies entries in the hosts file so that domain names are mapped to pharming websites. 
    • DNS Poisoning, or DNS spoofing, is malware that targets the software that controls DNS servers. Here, they are able to alter DNS resolution at the source. Because of this, DNS poisoning is a far more sophisticated and broader attack, and much harder to defend against. Rather than affecting a small number of people who accidentally install malware, it affects everyone who tries to load that website.
    Take action: Aura can alert you if you’ve clicked on a malicious link or are trying to enter your account credentials on a phishing website. Try Aura free for 14 days and protect yourself from fake, fraudulent, and spoofed websites.

    What Happens if You Visit a Pharming Site?

    Visiting a pharming site can have dire consequences. Because pharming is an advanced type of cyberattack, scammers often target high-value websites, such as your online bank accounts.

    Here’s how a typical pharming attack works:

    • You accidentally download malware — for example, from a fake website or phishing attack — that works in the background to change the saved IP addresses on your computer. 
    • When using that infected device, you try to visit a legitimate website, like Facebook.com.
    • Your computer reads the infected IP address and directs you to a fraudulent website that looks exactly like Facebook.com.
    • You enter your username and password on the fraudulent site, and that data is sent to a scammer who can now hack into your account.

    For example, in 2018 hackers redirected the address of crypto site MyEtherWallet.com to a Russian server hosting a lookalike page [*]. 

    Scammers then emptied the accounts of internet users who entered their login information on the fraudulent site — stealing thousands of dollars worth of Ether cryptocurrency before the attack was discovered.

    💡 Related: How To Protect Yourself from Account Takeover Fraud (ATO) →

    Pharming vs. Phishing: What’s the Difference?

    While pharming and phishing are related, they aren’t quite the same thing. 

    Phishing attacks are designed to trick victims into handing over personal information (like credit card details or login credentials). Scammers usually do this by sending phishing emails or texts pretending to be from a trusted source, like the victim’s bank.

    These phishing emails contain a hyperlink that directs the victim to a fraudulent website, allowing the criminal to steal any data that the victim inputs. The first quarter of 2022 reported over a million phishing attacks, the most ever observed in a quarter.

    Monthly phishing attacks have nearly doubled in the last year. Source: Anti-Phishing Working Group
    Monthly phishing attacks have nearly doubled in the last year. Source: Anti-Phishing Working Group

    Although pharming evolved from phishing, it is much more sophisticated. 

    Instead of tricking victims into clicking on dangerous hyperlinks, pharming attacks trick your device or a DNS server into sending you to a fake website — while still showing you the legitimate domain name.  

    Here are the main differences between phishing and pharming.

    Phishing
    Pharming
    Deployment
    Malicious messages with dangerous hyperlinks are sent to victims.
    Malware is installed on a victim’s computer or a DNS server.
    Process
    You must click on a link that loads a malicious website.
    You are automatically redirected from legitimate websites to fake ones.
    Warning signs
    Often clear and easy-to-spot warnings such as bad grammar and obviously fake messaging.
    Very few warning signs.
    Targets
    One person at a time.
    Multiple victims.
    Protection
    Knowing how to spot a phishing attack and using data protection methods.
    Using a malware removal tool and avoiding compromised systems.

    10 Ways To Avoid a Pharming Attack

    1. Use anti-phishing software that warns you of scam websites
    2. Look for the warning signs of a fake website
    3. Don’t open links or download attachments from people you don’t know
    4. Use a virtual private network (VPN) to protect your data
    5. Change your home router’s default password and disable “administrator mode”
    6. Protect your devices with antivirus software
    7. Update your passwords
    8. Enable two-factor authentication (2FA) on all of your accounts
    9. Use a password manager to stop you from entering passwords on fake sites
    10. Consider signing up for an all-in-one digital security solution

    Digital security is constantly evolving. But despite the growing threat of scams and malware, there’s a lot you can do to minimize the risk of a cyberattack. 

    Here are 10 steps you can take to protect yourself from pharming:

    1. Use anti-phishing software that warns you of scam websites

    Anti-phishing and safe browsing software use AI (artificial intelligence) technology to identify phishing sites, emails, and content. If pharming content is identified, the software will warn you and block it. 

    For example, Aura will alert you if you’re entering a potentially dangerous site (such as a pharming or malware-infected website) to prevent your data from being stolen.

    Aura phishing protection
    Source: Aura antivirus with phishing protection
    How safe browsing tools can protect you from pharming attacks

    Pharming relies on your entering information on a scam website that looks like a legitimate one. If you avoid entering the site, you avoid having your sensitive information stolen. This is where anti-phishing software comes in.

    However, fake sites can slip past anti-phishing software as they don’t always contain clear warning signs. For this reason, it’s important to use more than one protection method.

    2. Look for the warning signs of a fake website

    While anti-phishing software is useful as a last line of defense, being able to identify a fake website yourself can protect you in case a pharming site slips through the cracks. 

    How to spot suspicious websites
    • Double-check that the domain name is correct. 
    • Look for a padlock symbol and “https://” (rather than “http://”) in the address line — this isn’t foolproof, but it generally signals that the site is secure. 
    • To be sure you’re visiting an authentic website (and the one you want to be on), click on the website’s security certificate and check details such as where it’s registered and who owns it. 
    How to check a website's security certificate
    Check the site’s security certificate information — such as where it’s located and who owns it.
    • Keep your eye out for bad spelling, grammar, and poor design elements. These are signs that you’re on a copycat site. 
    • Use the Whois Lookup domain checker to see how long the site has been active. If it’s brand new or younger than you would assume it should be, these are huge red flags. 

    3. Don’t open links or download attachments from people you don’t know

    Clicking on unknown links and downloading unverified files are surefire ways to infect your PC with viruses and malware. You can’t always protect yourself from DNS poisoning, but you can avoid pharming malware by steering clear of these risks. 

    How to avoid suspicious links and attachments

    Never click on suspicious links in emails and texts, even if they are from trusted senders. Attackers often use link shorteners and other tricks to hide the fact that the URL is suspicious. Instead, manually type the domain name into your browser so that you’re sure it’s safe. 

    Scammers send fake text messages with links that infect your device with malware. Source: Aura
    Scammers send fake text messages with links that infect your device with malware. Source: Aura

    This also holds true for attachments. Unless you’re expecting an attachment (for example, from a work colleague), you should never download one. Even in the case of a trusted sender, you should always scan the file first with quality antivirus software. 

    4. Use a Virtual Private Network (VPN) to protect your data

    VPNs create an encrypted “tunnel” between your computer and the VPN server, hiding your online activity and IP address. Not only does this protect your privacy, but it also prevents spying attempts and can help protect against pharming attacks. 

    How a VPN can protect you from pharming attacks

    A VPN encrypts your traffic, routing it through its own DNS server when you load a website. This protects you from pharming attacks as long as the VPN’s servers are secure. Some VPNs also offer private DNS servers, which increase security and privacy for your internet traffic. 

    Aura VPN

    Learn more about how Aura keeps you and your devices safe from scammers →

    5. Change your home router’s default password and disable “administrator mode”

    Routers and wireless access points often include default administrator passwords that are used across multiple devices. This means that hackers might have access to your router password, making it possible for them to access your network devices.

    How to secure your home router
    • Replace your router’s administrator mode password (or disable administrator mode entirely).
    • Replace your Wi-Fi network password with something that is more secure.
    • Keep your router up to date (updates often include security patches).

    💡 Related: How to Tell if Your Wi-Fi Is Hacked →

    6. Protect your devices with antivirus software

    Antivirus software acts as the immune system of your device. A reputable antivirus solution will protect you from malicious files, scan your device for malware, and act as a final barrier in case you accidentally click on an infected link. 

    What to look for in antivirus software
    • The ability to perform periodic scans of your device to ensure that no malicious programs have infected it.
    • A scan function to check downloaded files and ensure that they are safe.
    • An updated database of known viruses, malware, adware, and spyware so that it can provide protection against the latest threats.
    Take action: If scammers infect your device with malware, your bank accounts, email, and social media profiles could be at risk. Try Aura’s antivirus free for 14 days and protect your devices from hackers.

    7. Update your passwords 

    Your passwords are the main line of defense preventing criminals from accessing your accounts. This means that each individual password needs to be strong. 

    Here’s how to protect yourself with stronger passwords
    • Use a complex password. The more complex your password, the harder it is to guess. Use a combination of numbers, letters, and other symbols in random order. 
    • Use a long password. The longer your password, the harder it is for hackers to successfully use brute-force attacks to steal your information. Aim for 12-15 characters in each password. 
    • Avoid using easily discovered personal information. Information like your name or birthday makes your password easier to guess. 
    • Use unique passwords. Using different passwords for every account means that if one is compromised, the rest remain safe. 

    8. Enable two-factor authentication (2FA) on all of your accounts

    Even if you use the strongest passwords, they can still be leaked or phished. Using two-factor (2FA) or multi-factor authentication (MFA) adds another layer of protection when you sign in to your accounts.

    Here’s how 2FA and MFA protect your accounts

    With 2FA enabled, when you sign in using your password, you will be sent a code to your second-factor device (for example, your email address). You will need to submit this code to prove that it’s you trying to sign in. 

    For high-risk accounts, MFA introduces multiple layers of security. For example, you may need to use biometrics (like a fingerprint or voice recognition) in addition to the 2FA code. 

    💡 Related: Have I Been Hacked? Warning Signs & What To Do →

    9. Use a password manager to stop you from entering passwords on fake sites

    If you find it hard to remember all of your passwords, a quality password manager can keep them safe. 

    How a password manager can protect you from pharming attacks

    Included in every Aura plan, Aura’s password manager stores all your passwords so that you don’t have to commit them to memory. On top of this, Aura’s identity theft protection service keeps an eye out for leaked data and will alert you if any of your credentials have been compromised. 

    Password managers can also auto-fill your username and password fields when it recognizes a saved website. This can help protect you against pharming attacks because the manager will be much harder to fool than the human eye. If it doesn’t recognize the site, it won’t auto-fill your data. 

    10. Consider signing up for an all-in-one digital security solution

    The consequences of a hack can be serious. To avoid falling victim to a pharming scam, consider signing up for an all-in-one digital security solution like Aura. You can try Aura free for 14 days to see if it’s right for you →

    With Aura, you get:
    • #1-rated identity theft protection. Aura monitors your account logins and sensitive information (credit card numbers, SSN, etc.) for signs of fraud. If we find anything suspicious, you’ll be alerted in near real-time.
    • Proactive device protection. Aura combines powerful antivirus software with a military-grade VPN, safe browsing tools, and more to keep your computer, phone, and home network safe from cybercriminals. 
    • Financial fraud protection. Aura monitors your bank and credit accounts in near-real time and will alert you if anything suspicious is detected. 
    • Instant credit lock. If you’ve fallen victim to a scam, quickly lock your Experian credit file with one click from the desktop or mobile app.

    💡 Related: Is Identity Theft Protection Really Worth It? →

    How To Tell if You’re the Victim of a Pharming Attack

    The quicker you respond to a cyberattack, the more you’ll be able to do to minimize the damages that a hacker can inflict. 

    Here’s what to look out for if you think you’ve been “pharmed”:

    • You are signed out of your online accounts. When you try to log in, you discover your passwords have been changed and someone has taken over your account. 
    • Unexplained charges. There are suspicious charges to your bank account, credit card, or PayPal that you can’t explain. 
    • Suspicious logins. You receive texts or emails informing you of login attempts, 2FA codes, or password resets that you didn’t request. 
    Suspicious login attempt email
    Most online services will warn you if someone has tried to log in to your account. Source: Aura Team
    • Identity theft. Your identity has been stolen, and someone has opened a bank account, issued a new credit card, or taken out a loan in your name. 
    • Cryptocurrency theft. Your cryptocurrency account is suddenly missing a sum of money. 

    💡 Related: Was Your IP Address Hacked? Here’s How To Tell →

    Did You Give Up Account Details on a Scam Website? Do This!

    If you see any signs that you’re the victim of a pharming scam or hack, you need to act quickly. Don’t give the hackers an opportunity to steal from you, extort you, or take your identity.

    Here’s what to do: 

    • Force any unrecognized sessions to log out of your online accounts. If you find evidence that someone has taken over your accounts (or is lurking in them), you can force a sign-out on each of the unauthorized devices. Then, recover your account and change your passwords.
    • Update your passwords and use a secure password manager. Start with the accounts that are most at risk. Make sure every account has a strong and unique password, and store these in a password manager. Finally, enable 2FA or MFA on all of your high-risk accounts.
    • Do a full antivirus scan on all of your devices. If you’re the victim of a pharming attack, chances are that you have been infected with malware. Use an anti-malware and antivirus solution to scan, quarantine, and remove infections. Aura offers powerful antivirus software that you can use immediately (even during your 14-day free trial). 
    • Check your credit report and bank statements for signs of fraud. If you see suspicious charges or accounts that you don’t recognize, freeze your credit and contact your financial institution.
    • Reset your router and update your network passwords. To secure your Wi-Fi network, update all of the administrator and Wi-Fi passwords. Then, do a factory reset of your router to remove any malware infections and altered settings. 
    • Report the fraud to the relevant authorities. If you’re the victim of fraud, you need to file a report with the relevant agencies. This will help protect you and others from becoming victims, and is essential if you’re going to dispute fraudulent charges. These authorities include the Federal Trade Commission (FTC), Internet Crime Complaint Center (IC3), and the police. You can also submit a report to your internet service provider (ISP) so that they can block the pharming website. 

    The Bottom Line: Don’t End Up as a Pharming Victim 

    Once “pharmers” have access to your personal information, they can wreak havoc. It’s more important than ever to understand the warning signs of a cyberattack like pharming so that you can act quickly and avoid falling victim.

    For advanced security that will put your mind at ease, consider signing up for an all-in-one cybersecurity solution like Aura. 

    Secure your digital life. Try Aura free for 14 days →

    Related Articles

    Dangers of public wi-fi
    Internet Security

    10 Dangers of Public Wi-Fi You Didn't Know About (Until Now)

    Public and unsecured Wi-Fi networks are convenient. But are they safe? Here are 10 hidden dangers of unsecured and public Wi-Fi networks (and what to do).

    Read More
    August 22, 2022
    What can a hacker do with my phone number: Header image
    Fraud

    Can Someone Hack Your Phone With Just Your Number?

    If a hacker has your phone number you could be at risk of identity theft, financial fraud, and more. Here’s how to keep your number and your identity safe.

    Read More
    May 19, 2022

    Try Aura—14 Days Free

    Start your free trial today**

    This is some text inside of a div block.

    Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.

    1. Financial identity theft and fraud
    2. Medical identity theft
    3. Child identity theft
    4. Elder fraud and estate identity theft
    5. “Friendly” or familial identity theft
    6. Employment identity theft
    7. Criminal identity theft
    8. Tax identity theft
    9. Unemployment and government benefits identity theft
    10. Synthetic identity theft
    11. Identity cloning
    12. Account takeovers (social media, email, etc.)
    13. Social Security number identity theft
    14. Biometric ID theft
    15. Crypto account takeovers