Remote Support Client Portal

0333 004 0339

Menu

What is Pharming in Cyber Security?

11 February 2025

If you’re interested in improving your organisation’s cyber security, you might have encountered the term ‘pharming’. This term is a combination of the words ‘phishing’ and ‘farming’, but what does pharming actually mean?

Pharming is a type of cyber attack which redirects users to fraudulent websites to steal their credentials or sensitive information. These spoofed websites closely resemble legitimate ones and online banking portals, social media networks and retail shopping sites are most commonly targeted by cybercriminals. It’s similar to phishing, but typically malicious code is used as the attack vector rather than email.

Read on to find out more about pharming, the different types of pharming and how you can protect yourself from a pharming attack.

Jump to a section:

What is Cyber Security Pharming?

Pharming in cyber security is a type of cyber-attack that redirects users to spoofed websites to steal a user’s credentials, such as user names, passwords, or credit card details, or other sensitive information. Banking websites, e-commerce sites and online payment portals are most commonly targeted by pharming attacks.

The word ‘pharming’ combines ‘phishing’ and ‘farming’, suggesting the large-scale nature of pharming attacks compared to smaller phishing attacks.

Phishing vs. Pharming: What’s the Difference?

Both pharming and phishing are cyber attack techniques which aim to trick users into sharing personal or sensitive information, such as their banking details. However, phishing involves tricking users into clicking on malicious links in emails, texts or instant messages, while pharming involves manipulating DNS records or local host files to automatically redirect users from legitimate websites to fraudulent ones. This can make pharming attacks harder to detect as they don’t require users to click on a link.

 

Computer with code on it

How Does Pharming Work?

Pharming is a sophisticated type of cyber attack. It’s a two-step process that begins with the attacker installing malicious code on a victim’s server or computer. This code sends the victim to a fraudulent website to steal their financial or personal information. This information can be used for a range of malicious activities, such as identity theft or financial fraud.

What Are the Different Types of Pharming?

There are two primary methods of pharming that cybercriminals can use to steal sensitive information: pharming malware and DNS-based pharming. Below we go over these two different methods in more detail.

Pharming Malware

Malware-based pharming involves the installation of malware, such as a Trojan horse or virus. This is usually installed unwittingly by users through malicious email links or software downloads. The installed malware modifies and corrupts locally hosted files and changes stored IP addresses to automatically reroute the user to the attacker’s spoofed website.

DNS-Based Pharming

DNS-based pharming exploits the vulnerabilities in DNS infrastructure to redirect users to fraudulent websites. This is most commonly done through the following methods:

  • DNS Cache Poisoning or Spoofing. This involves the attackers entering false information into the DNS cache to alter the mapping of domain names to IP addresses. This means that users are directed to fraudulent websites.
  • DNS Server Compromise. This is when an attacker gains unauthorised access to a DNS server or its record. The attacker can then alter the IP address associated with a domain name to redirect users to a spoofed website for malicious purposes.
  • DNS Hijacking or Redirection. This is when an attacker compromises the DNS settings on a computer or router. The DNS requests are then redirected to malicious DNS services which provide false IP addresses leading users to fraudulent websites.

A developer with code on the screen

Cybersecurity Pharming Examples

There have been several infamous pharming attacks in recent years which shows that pharming is a significant cyber threat. Here are notable real-world examples of pharming attacks:

DNSChanger Malware (2007)

The DNSChanger Malware was a Trojan malware that began infecting computers in 2007. Over four million computers were infected with this malware which was distributed through an infected download disguised as a video codec (software that compresses or decompresses video/audio files).

This malware altered the DNS settings on infected computers redirecting users to fraudulent websites and ads. The rogue servers that users were pointed to primarily supported advertising sold by Rove Digital (the malware’s creators) which advertisers paid for, believing it to be legitimate. By the time the FBI raided the malicious servers on November 8, 2011, Rove had generated at least $14 million in profits from the fraudulent advertising scheme.

Volunteers for Venezuela Campaign (2019)

Hackers launched a pharming attack against a Venezuelan humanitarian organisation which was raising funds for the victims of the Venezuelan crisis.

The attackers redirected users from the organisation’s legitimate new website to a fraudulent one which stole their personal information, such as names, addresses and emails. The attack was carried out through DNS hijacking where the criminals targeted the organisation’s servers or manipulated the users’ DNS settings. The hackers collected personal data from millions of users which could be sold or used for nefarious purposes, such as identity theft. This severely damaged the charity’s reputation.

Brazilian Bank Pharming Attack (2016)

In 2016, cybercriminals redirected all traffic from a major Brazilian bank’s website to a spoofed site hosted on their malicious servers. This was made possible through a targeted attack on the bank’s DNS hosting service. Over the five-hour timespan of the attack, the hackers took control of the bank’s 36 domains and corporate email harvesting login credentials. This led to an unknown amount of financial loss.
As part of the attack, malware was dropped on victims’ computers which was designed to hijack the operations of other banks. Research determined that nine other banks around the world were similarly attacked and controlled by cybercriminals.

Signs of Pharming

There are lots of overlaps between the signs of a pharming attack and other types of cyber security attacks.

Telltale signs that you have been a victim of pharming include:

  • Unexpected changes to a website, such as a different layout, spelling errors or missing logos.
  • You notice pop-ups asking for personal information or trying to encourage you to download something.
  • You are directed to a different website when you type in a specific URL.
  • You notice a typo in a website URL.
  • A website does not start with “HTTPS” indicating there is a missing or expired SSL certificate.
  • New sign-in requests that are not from you.
  • An unusually slow network connection.
  • You notice transactions or charges that you do not recognise.

 

What to Do if You’ve Been Pharmed

If you suspect you or your organisation has been the victim of pharming, you must take steps to limit the impact of the attack. This should include:

  • Running a full scan of your computer using antivirus software to remove any malware that may have been used in the attack.
  • Clearing your DNS cache.
  • Contacting your ISP if you believe your server has been compromised
  • Changing the login credentials for any sites you accessed while being pharmed.
  • Clearing your browser’s cache and cookies to clear any malicious code stored there.
  • Reporting the pharming attack to the relevant authority, such as Action Fraud or the Information Commissioner’s Office (ICO) in the UK, and follow platform-specific fraud reporting procedures.
  • Double-checking the legitimacy of the site by using a different device or network to access it before entering any personal information.

How to Prevent Pharming Attacks

The best way to prevent a pharming attack and to protect yourself or your business is to follow these best practices and preventive measures:

  • Choose a reputable internet service provider (ISP) and secure DNS service. This will help filter out suspicious redirects by default and safeguard against DNS server poisoning.
  • Be suspicious of emails with links or attachments from senders you don’t know. Don’t click on any links or open any attachments you are unsure of, especially executable files.
  • Only click on links that begin with HTTPS. The ‘s’ stands for secure and shows that the site has a valid security certificate.
  • Use an advanced antimalware system. This can actively block any malware that’s attempting to hack your computer’s hosts files.
  • Keep your computer system up-to-date with the latest security patches. This will reduce any vulnerabilities in your software.
  • Check URLs for typos. This is especially important for websites where you’ll be submitting sensitive information, such as online banking portals.
  • Avoid suspicious-looking websites. Look for obvious spelling or grammatical errors that might indicate that the site is not legitimate.
  • Enable two-factor authentication where available. This makes it much harder for cybercriminals to hack into your accounts and adds another layer of protection.
  • Use a password manager and use strong, unique passwords.
  • Change the default admin passwords of your Wi-Fi router and create a strong password or passphrase. A passphrase is a string of nonsense words that are easy for a human to remember but are tricky to hack.
  • Avoid connecting to public Wi-Fi networks where possible.

 

Cyber Security Monitoring With Obsidian Networks

At Obsidian Networks, we provide comprehensive cyber security solutions to protect businesses from all forms of cyber attacks, including pharming. We provide several cyber security services including cyber security monitoring and penetration testing. Our expert team can also manage your entire IT infrastructure with our fully managed IT support services.

We understand that every organisation is unique and we can offer a bespoke cyber security solution that works for your business. Get in touch with a member of our team today to discuss your requirements.

© Copyright Obsidian Networks 2025

Handcrafted by PixelTree