The pharming attack method is very popular with hackers to obtain sensitive information and then use it against you.
Pharming can be derived as a kind of further development from the “phishing” attack scenario. Attackers use a variety of social engineering methods, such as phishing emails, to lure their victims into a trap and cause the user to behave negligently.
With pharming, however, everything happens directly in connection with the web browser. Websites that an end user wants to access redirect them to fraudulent websites.
Attackers sometimes operate huge server farms on which these fraudulent websites are hosted. This is where the term pharming comes from.
The redirection to the fraudulent image of the website that the user actually wants to visit, hosted by the attacker, occurs by manipulating the DNS protocol and its mechanisms. The DNS protocol is responsible for converting a URL address (e.g. prosec-networks.com) into its corresponding IP address. In this sense, DNS is the telephone book of the Internet, in which names are listed with their corresponding telephone number.
This process of conversion between URL and the associated IP address offers the attacker various points of attack to manipulate this association.
The two most well-known pharming attack methods are explained below:
Before a client requests a DNS server to resolve a web address to an IP address, it looks at its local “hosts” file. This is a predecessor of the Domain Name System, which statically links host names to IP addresses. It informs you whether the requested address is already listed.
If this is the case, the client does not have to make a request to the DNS server, but instead follows the corresponding entry. One option for pharming is to modify the hosts file locally.
This is done, for example, using a Trojans, which was introduced into the system via a phishing email or a drive-by download, or through physical access to end devices. With the help of the Trojan, links from host names such as “google.de”, “facebook.com” or “paypal.com” to IP addresses controlled by the attacker can then be entered as part of the pharming.
When the website is accessed correctly, the end user is redirected to the fraudulent images of these websites prepared by the attacker. This means that it normally does not arouse suspicion among the end user. This attack option is very suitable for targeted attacks by individual people or direct access to clients.
Another, but more complex, option for pharming is to influence a DNS server and thus falsify the resolution of an IP address for a user. This is achieved via so-called DNS cache poisoning. Here, a DNS server for addresses outside its responsible domain (e.g. prosec-networks.com) is given manipulated addresses by the attacker through fake DNS answers, which the affected DNS server then stores in its cache. This suggests address resolution even before the DNS server can make a correct assignment via other DNS servers.
To do this, the user does not have to install malware/ Malware be infected. The dangerous thing about this procedure is that not only one person is targeted, but all end users who make a request to the influenced DNS server.
Even though emails are part of everyday life for many people, like oxygen in the lungs, you should always exercise caution when asked to follow links or download or install something and, if in doubt, contact your administrator or other person again
The majority of all phishing websites now use HTTPS and valid certificates. In order to really protect yourself as an end user against pharming and other types of digital attacks, only a healthy dose of mistrust and the “double tape” principle can help. Before you enter any sensitive information, check the digital certificate of the connection and check whether it is the same using a second device (e.g. your smartphone) that is not on the same network (e.g. 3G/4G, instead of WLAN). Certificate is displayed.
You should always keep your router up to date and ensure that the login is only accessible from the internal network and is secured by a complex password.
Even if it's not a panacea, it doesn't hurt to have up-to-date antivirus software on your computer. In this way you can at least prevent malware that is too obvious and protect yourself a little from pharming and other threats.
To make it more difficult to manipulate the “hosts” file, accounts should have as few rights as possible, as administrative permissions are required to edit this file. This means there is less risk of becoming a victim of pharming due to a short absence from an unlocked computer.
