Pharming

The term "pharming" has existed since 1996, but it was not until late 2003, that the technique actually emerged in the service of cyber criminals. Pharming attacks are similar to phishing attacks in that they are designed to extract confidential data from victims by pretending to be a trusted source and requesting information. The difference between pharming and phishing is that pharming attacks resolve the victim's DNS to a malicious server when attempting to visit a legitimate Web site, as opposed to a phishing attack, which requires that victims be tricked by social engineering into visiting the fraudulent Web site.

The analyst at MX Logic who coined the term "pharming" originally defined it as a malicious Web direct. This definition requires that something be changed on the victim's computer, such as a local DNS server or their HOSTS file. The definition has recently evolved to include DNS cache "pollution" or "poisoning," in which an attacker corrupts the DNS server's cache so that all lookups to the server respond with a malicious address. If DNS cache poisoning, which is simply exploiting a vulnerability in certain DNS server implementations, is considered pharming, then any other vulnerabilities found in DNS servers used for the same purpose will probably also be defined as pharming.

How Pharming Works

Even though pharming has the advantage of generally not requiring social engineering, it is technically more complex and therefore requires more skill. Phishing can be executed with very little knowledge and, in some cases, using automatic toolkits. Pharming, through its various methods, always involves at least one technical step. Cache poisoning, which targets the largest number of users, requires successful exploitation of DNS servers or gateways and a server with a catch-all or DNS entries for every Web site. Modifying a HOSTS file requires that attackers make these changes via malicious code or compose and modify the system manually.

The amount of knowledge and effort to produce a pharming attack exceeds the potential benefit for pharming individual Web sites. Because the percentage of DNS servers that are actually vulnerable is minuscule, targeting them with individual Web sites is unlikely to produce the amount of stolen information produced in a phishing attack. However, motivation to conduct pharming attacks may increase as anti-phishing software becomes more prevalent. In addition, if exploitable vulnerabilities are found that affect the most widely used DNS servers, pharming attacks could increase. Attackers may take the time to set up individual Web sites to imitate companies if they can corrupt enough DNS servers to affect a sufficient number of users.