How to Stop Hackers from Pharming Your Company

Cybercriminals are very inventive. They will use many techniques to manipulate, infiltrate, cause damage, and steal money. One of these techniques is known as pharming - a word created from mixing farming and phishing. Pharming, like other forms of phishing, relies on tricking employees and other individuals into handing over sensitive data like login credentials. However, pharming attackers go about this in a different way from conventional phishing.

What is Pharming?

Pharming is a type of DNS attack. A DNS, or Domain Name System, is part of the broader Internet. It associates easy-to-remember and human-readable website names, like Microsoft.com, and translates them into machine-readable IP addresses, such as 13.107.6.152.

There are several types of DNS attacks, pharming being one of them. In the case of pharming, the attackers modify the DNS so that when a user enters a legitimate website URL into a browser, they are redirected to a malicious site without their knowledge. The spoof site is made to look exactly like the website the user believes they are navigating to. Once the user lands on the webpage, they will go through the usual process to log in, use credit cards, add personal data, etc.

Of all types of DNS attacks, pharming is the most prevalent. Around 90% of companies experience DNS attacks, and 54% are victims of DNS phishing (Pharming).

Unlike conventional phishing, pharming occurs in the backend of a system. No social engineering is required to steal data. Instead, pharming uses a two-part attack: Firstly, the cybercriminal will use vulnerabilities to install Trojan malware or, alternatively, exploit DNS vulnerabilities. The second part comes when the unsuspecting user is redirected to the malicious website.

Pharming is often highly targeted. Cybercriminals gather intelligence using publicly available resources or via dark web forums and marketplaces. This information is used to create a believable, carefully constructed spoof website. The target will be familiar with it, such as a Microsoft 365 portal or an online banking website.

An example of a major pharming attack occurred in Venezuela against the Humanitarian Aid Campaign. The campaign published a mass call for volunteers, linking to the "official website." Any prospective volunteer was asked for details, including name, address, and cell phone number, even if they had a medical degree. The official website turned out to be a duplicate of the legitimate site, including the same IP address - the attackers had manipulated the DNS to send anyone going to the official site to the spoof website. Notably, the spoof site used SSL certificates to display HTTPS, fooling any suspicious user into believing it was "secure".

How Does Pharming Work?

Cybercriminals use several techniques to initiate a pharming DNS redirect attack; the most common include the following:

DNS Cache Poisoning (Also Known as DNS Spoofing)

The DNS resolver cache is a directory that stores the IP addresses used to direct users to websites. Attackers exploit any vulnerabilities in the DNS resolver and "poison" the cache, injecting incorrect data that redirects a user to a spoof website. This is a common exploit, as a DNS resolver cannot verify that the cache is correct.

Rogue DNS

Attackers can either create a rogue DNS server or compromise existing servers, turning them rogue. The rogue DNS maps legitimate websites to a fake IP address. When a user enters the legitimate site address, the DNS takes the user to the spoof website.

Malware and DNS Manipulation

Malware can be specifically designed to modify the DNS to redirect users to malicious websites. This was the case with DNSChanger Malware - a DNS hijacking trojan - which infected over 4 million computers in over 100 countries.

Host File Manipulation

The "local hosts file" is held on a personal computer and allows the redirection of IP addresses at a local level. This file is in plain text and maps servers or hostnames to IP addresses. A local hosts file can be modified either using malware or unauthorized access. The computer user will then be redirected to a malicious website without realizing it.

What Happens if Your Company is a Pharming Attack Victim?

Pharming attacks carry a heavy price for impacted companies and individuals. The average cost per DNS attack, of which Pharming is a type, is $1.1 million, caused by downtime, brand damage, website compromise, and sensitive data theft. Typical impacts from DNS manipulation include the following:

Login Credential Theft

Cybercriminals love login credentials, as they can use them to escalate privileges and gain unauthorized access to financial data and other sensitive data, as well as take over executives' accounts, etc.

Financial Data

Credit card details, company bank information, and other financial data are at risk from DNS attacks. Hackers changed the DNS of all 36 websites associated with a Brazilian bank. Unsuspecting customers were redirected to a spoof site, where banking login credentials and credit card details were stolen.

Follow-On Attacks

Once a cybercriminal has access rights, they can use these rights to begin follow-on attacks. Examples of attacks that can be carried out once login credentials are in the hands of a hacker include ransomware attacks, account takeover attacks (ATO), and Business Email Compromise (BEC). All of these attacks have heavy costs for the victim companies. For example, the average loss for an SMB caught up in a BEC scam is $137,132 per incident, according to FBI data.

Reputation Damage

Reputation damage from a DNS spoof of your corporate website costs both reputation and loss of customer trust. If customer data is lost, your company would likely be liable for fines under data protection noncompliance. Fines vary, but as an example, if your company is regulated under the HIPAA, it would be liable for fines of up to $2,067,813 per violation.

How to Prevent a Pharming Attack

Secure DNS

SSL certificates should be used as a default to secure web communications. However, this alone is not enough to protect against pharming. The DNSSEC protocol verifies the identity of DNS root servers and authoritative nameservers in DNS resolvers, thereby helping to prevent DNS cache poisoning. It is recommended that you use a trusted, secure commercial DNS service like Cloudflare or Google DNS.

Keep Systems and Software Updated

Cybercriminals often use flaws in software (vulnerabilities) to obtain access to systems and software. Ensure that you patch all firmware and software as updates are published.

Robust Identity Management

Pharming often results in stolen login credentials. To prevent successful pharming attacks from using access to carry out follow-on attacks, robust access management should be used. This should include measures such as enforcement of least privilege access, i.e., only allowing access rights on a need-to-know basis, and using robust authentication like passwordless or biometric controls.

Next-Generation Anti-Virus (NGAV)

Malware is often evasive and difficult to detect using conventional anti-virus software. NGAV tools use AI and machine learning to identify difficult-to-detect malware, helping to prevent DNS modification.

Employee Education

Security awareness training for all employees provides education on safe internet use and ensures that employees are suspicious of attempts to gather data like login credentials. Used with other cybersecurity measures, security awareness adds another layer of protection against the consequences of pharming.

Dark Web Monitoring

Cybercriminals often use data available on the dark web to help identify suitable targets. Dark web monitoring tools like Sentinex allow a company to keep watch on dark web marketplaces and forums. The tools will alert your company if your brand, employee, or executive data is available for cybercriminal use.

FAQs

What's the Difference Between Phishing, Smishing, and Pharming?

Phishing and smishing and pharming all have one thing in common, they are used to extract data, like login credentials. However, pharming goes about this is a different way to phishing and smishing. Whereas phishing and smishing use social engineering to manipulate behaviour, tricking users into going to a malicious website via a link, pharming modifies a DNS entry to redirect users to a malicious website, without their knowledge.

Why is Pharming so Dangerous?

Pharming is an attack that happens behind the scenes. A victim is not aware that they have navigated to a malicious website, as they have typed in the correct web address. Many spoof websites used by attackers look secure as they use HTTPS. However, this is not a guarantee of legitimacy. These elements of pharming make it much harder to spot than conventional phishing.

Why Do Cybercriminals Target the DNS?

The Domain Name System (DNS) maps a machine-readable IP address to a human-readable web address. This mapping can be exploited by cybercriminals, who change the mapped web address to a malicious website. An individual is unaware that the website they want to navigate to has been changed to a malicious site; attackers make the spoof website look exactly like the mimicked site.

What to Do If You Notice You Have Been Pharmed?

If you believe you have been pharmed, you should immediately run a full scan of your computer using a next-generation anti-virus tool. This may identify and remove any malware used to modify a DNS. However, this is not the only step to take. You must also perform the following:

• Clear your browser's cache and cookies.
• Change your login credentials for accounts that may have been exposed when using the spoof website.
• Report the attack to the website owner and the relevant authorities. In the USA, this is the FBI's Internet Crime Complaint Center (IC3).