Pharming

“Pharming” is a variety attack type in which the attacker hijacks the network address (either IP address or domain name) of a target application for the purpose of intercepting all end-user interaction with the target application. The attacker can then make use of this interception to compromise sensitive information or distribute malware, including back doors and Trojans.

In a “pharming” attack, the attacker sets up a web server to intercept all communication between a set of end-users and a target application. The attacker then hijacks the network address of the target application causing all end-user communications with the target application to go through the attacker controlled server. Victims of this attack access the target application, not knowing that their requests are being intercepted, compromising sensitive information, such as credentials. Attacker can relay requests to the target application and intercept sensitive information (balance sheets, personal details, etc.) going back to victims or even create bogus replies injecting malware into unsuspecting victim’s machine.

Attackers use a variety of techniques to hijack the network address of the target application. One set of techniques is targeted at end-point computers with loose security controls (many home computers fit this profile). A sample technique would be to tamper the computer’s hosts file in a way that the domain name of the target application points to an attacker controlled server.

Another method to redirect the traffic is by “DNS-poisining” where the attacker exploits a DNS (Domain-Name Service) vulnerability so that the DNS’ returned address references the IP address of an attacker controlled server rather than the IP address of the actual application server. While this type of attack is more effective in terms of the number of user affected by it, it is harder to execute since DNS servers are usually more secure than workstations.

Since the popular method of attack in a “pharming” scheme is to change the hosts file on the victim’s computer, implementing personal computer safety practices is a wise choice. Avoid the usage of default usernames and passwords and make sure the computer has a network firewall configured and running.

A user should also check the security certificate of the website that prompts for user credentials. If the security certificate is outdated or invalid, the user should suspect a “pharming” scheme.