Pharming is a

cyberattack A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, or personal computer devices. An attacker is a person or process that attempts to access data, functions, or other restricted ...

intended to redirect a

website A website (also written as a web site) is a collection of web pages and related content that is identified by a common domain name and published on at least one web server. Examples of notable websites are Google, Facebook, Amazon, and Wikip ...

's traffic to another, fake site by installing a malicious program on the computer. Pharming can be conducted either by changing the

hosts file The computer file hosts is an operating system file that maps hostnames to IP addresses. It is a plain text file. Originally a file named HOSTS.TXT was manually maintained and made available via file sharing by Stanford Research Institute for the ...

on a victim's computer or by

exploitation Exploitation may refer to: *Exploitation of natural resources *Exploitation of labour ** Forced labour *Exploitation colonialism *Slavery **Sexual slavery and other forms *Oppression *Psychological manipulation In arts and entertainment * Exploi ...

of a

vulnerability Vulnerability refers to "the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally." A window of vulnerability (WOV) is a time frame within which defensive measures are diminished, com ...

DNS server A name server refers to the server component of the Domain Name System (DNS), one of the two principal namespaces of the Internet. The most important function of DNS servers is the translation (resolution) of human-memorable domain names (exam ...

software Software is a set of computer programs and associated software documentation, documentation and data (computing), data. This is in contrast to Computer hardware, hardware, from which the system is built and which actually performs the work. ...

. DNS servers are computers responsible for resolving Internet names into their real

IP address An Internet Protocol address (IP address) is a numerical label such as that is connected to a computer network that uses the Internet Protocol for communication.. Updated by . An IP address serves two main functions: network interface ident ...

es. Compromised DNS servers are sometimes referred to as "poisoned". Pharming requires unprotected access to target a computer, such as altering a customer's home computer, rather than a corporate business server. The term "pharming" is a

neologism A neologism Greek νέο- ''néo''(="new") and λόγος /''lógos'' meaning "speech, utterance"] is a relatively recent or isolated term, word, or phrase that may be in the process of entering common use, but that has not been fully accepted int ...

based on the words "farming" and "

phishing Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious softwar ...

". Phishing is a type of social-engineering attack to obtain access credentials, such as

user name A user is a person who utilizes a computer or network service. A user often has a user account and is identified to the system by a username (or user name). Other terms for username include login name, screenname (or screen name), accou ...

s and

password A password, sometimes called a passcode (for example in Apple devices), is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of ...

s. In recent years, both pharming and phishing have been used to gain information for online identity theft. Pharming has become of major concern to businesses hosting

ecommerce E-commerce (electronic commerce) is the activity of electronically buying or selling of products on online services or over the Internet. E-commerce draws on technologies such as mobile commerce, electronic funds transfer, supply chain manag ...

and

online banking Online banking, also known as internet banking, web banking or home banking, is an electronic payment system that enables customers of a bank or other financial institution to conduct a range of financial transactions through the financial inst ...

websites. Sophisticated measures known as anti-pharming are required to protect against this serious

threat A threat is a communication of intent to inflict harm or loss on another person. Intimidation is a tactic used between conflicting parties to make the other timid or psychologically insecure for coercion or control. The act of intimidation for co ...

Antivirus software Antivirus software (abbreviated to AV software), also known as anti-malware, is a computer program used to prevent, detect, and remove malware. Antivirus software was originally developed to detect and remove computer viruses, hence the name ...

and spyware removal software cannot protect against pharming.

Pharming vulnerability at home and work

While malicious domain-name resolution can result from compromises in the large numbers of trusted nodes from a name lookup, the most vulnerable points of compromise are near the leaves of the Internet. For instance, incorrect entries in a desktop computer's ''

'', which circumvents name lookup with its own local name to IP address mapping, is a popular target for malware. Once rewritten, a legitimate request for a sensitive website can direct the user to a fraudulent copy. Personal computers such as desktops and laptops are often better targets for pharming because they receive poorer administration than most Internet servers. More worrisome than host-file attacks is the compromise of a local network router. Since most routers specify a trusted DNS to clients as they join the network, misinformation here will spoil lookups for the entire LAN. Unlike host-file rewrites, local-router compromise is difficult to detect. Routers can pass bad DNS information in two ways: misconfiguration of existing settings or wholesale rewrite of

embedded software Embedded software is computer software, written to control machines or devices that are not typically thought of as computers, commonly known as embedded systems. It is typically specialized for the particular hardware that it runs on and has time ...

(aka

firmware In computing, firmware is a specific class of computer software that provides the low-level control for a device's specific hardware. Firmware, such as the BIOS of a personal computer, may contain basic functions of a device, and may provide ...

). Many routers allow the administrator to specify a particular, trusted DNS in place of the one suggested by an upstream node (e.g., the ISP). An attacker could specify a DNS server under his control instead of a legitimate one. All subsequent resolutions would go through the bad server. Alternatively, many routers have the ability to replace their

(i.e. the internal software that executes the device's more complex services). Like malware on desktop systems, a firmware replacement can be very difficult to detect. A stealthy implementation will appear to behave the same as the manufacturer's firmware; the administration page will look the same, settings will appear correct, etc. This approach, if well executed, could make it difficult for network administrators to discover the reconfiguration, if the device appears to be configured as the administrators intend but actually redirects DNS traffic in the background. Pharming is only one of many attacks that malicious firmware can mount; others include eavesdropping, active

man in the middle attack In cryptography and computer security, a man-in-the-middle, monster-in-the-middle, machine-in-the-middle, monkey-in-the-middle, meddler-in-the-middle, manipulator-in-the-middle (MITM), person-in-the-middle (PITM) or adversary-in-the-middle (AiTM) ...

s, and traffic logging. Like misconfiguration, the entire LAN is subject to these actions. By themselves, these pharming approaches have only academic interest. However, the ubiquity of consumer grade

wireless router A wireless router is a device that performs the functions of a router and also includes the functions of a wireless access point. It is used to provide access to the Internet or a private computer network. Depending on the manufacturer and mod ...

s presents a massive

. Administrative access can be available wirelessly on most of these devices. Moreover, since these routers often work with their default settings, administrative passwords are commonly unchanged. Even when altered, many are guessed quickly through

dictionary attack In cryptanalysis and computer security, a dictionary attack is an attack using a restricted subset of a keyspace to defeat a cipher or authentication mechanism by trying to determine its decryption key or passphrase, sometimes trying thousands o ...

s, since most consumer grade routers don't introduce timing penalties for incorrect login attempts. Once administrative access is granted, all of the router's settings including the firmware itself may be altered. These attacks are difficult to trace because they occur outside the home or small office and outside the Internet.

Instances of pharming

On 15 January 2005, the domain name for a large New York ISP, Panix, was hijacked to point to a website in Australia. No financial losses are known. The domain was later restored on 17 January, and

ICANN The Internet Corporation for Assigned Names and Numbers (ICANN ) is an American multistakeholder group and nonprofit organization responsible for coordinating the maintenance and procedures of several databases related to the namespac ...

's review blames Melbourne IT (now known as "Arq Group") "as a result of a failure of Melbourne IT to obtain express authorization from the registrant in accordance with ICANN's Inter-Registrar Transfer Policy." In February 2007, a pharming attack affected at least 50 financial companies in the U.S., Europe, and Asia. Attackers created a similar page for each targeted financial company, which requires effort and time. Victims clicked on a specific website that had a malicious code. This website forced consumers' computers to download a Trojan horse. Subsequent login information from any of the targeted financial companies was collected. The number of individuals affected is unknown but the incident continued for three days. In January 2008, Symantec reported a drive-by pharming incident, directed against a Mexican bank, in which the DNS settings on a customer's home router were changed after receipt of an e-mail that appeared to be from a legitimate Spanish-language greeting-card company.

Controversy over the use of the term

The term "pharming" has been controversial within the field. At a conference organized by the

Anti-Phishing Working Group The Anti-Phishing Working Group (APWG) is an international consortium that attempts to eliminate fraud and identity theft caused by phishing and related incidents It brings together businesses affected by phishing attacks: security products and ...

Phillip Hallam-Baker Phillip Hallam-Baker is a computer scientist, mostly known for contributions to Internet security, since the design of HTTP at CERN in 1992. Self-employed since 2018 as a consultant and expert witness in court cases, he previously worked at Comod ...

denounced the term as "a

marketing Marketing is the process of exploring, creating, and delivering value to meet the needs of a target market in terms of goods and services; potentially including selection of a target audience; selection of certain attributes or themes to empha ...

designed to convince banks to buy a new set of security service (telecommunication), security services".

Notes

References

; Sources * * {{cite news, url=http://www.csoonline.com/talkback/071905.html , title=How Can We Stop Phishing and Pharming Scams? , date=July 20, 2005 , publisher=CSO Magazine , url-status=dead , archive-url=https://web.archive.org/web/20051124105904/http://www.csoonline.com/talkback/071905.html , archive-date=November 24, 2005

External links