What is a pharming attack and how can you stop it from happening?

pharming attack

Last modified on September 15th, 2023

Pharming, as part of the wider phishing culture, is the biggest threat to Americans today. As with other white-collar crimes, businesses stand to lose the most from pharming. It damages ongoing operational efficiency, on top of the financial and reputational effects. Pharming attacks are best prevented with knowledge and strategy. This piece explores the threat and how to stop it.

Trustpair blocks the financial effects of pharming by continuously controlling payments before they’re executed, and blocking payments to suspicious third parties. Contact an expert to learn more!

Nouveau call-to-action

What is pharming?

Pharming = phishing + farming.

It’s a play on words, but not quite as fun as it sounds, as pharming is a dangerous hacking technique. It can cause millions worth of damage to individuals and companies alike. In this case, phishing is a social engineering scam where users trust giving away their personal information, and farming refers to the harvesting of such data.

Pharmers (the perpetrators) typically set up with a fake website that is very carefully spoofed to look like the original, making it look legitimate and convincing. Then, they snare their victims into visiting the site through a range of techniques with the goal to yield as much confidential information as possible.

Sometimes, the targets of pharming attacks are individuals, but more often than not, it’s businesses and their employees that should be wary of pharming. That’s because 82% of organizational data breaches involve a human element, such as clicking on a malicious link or typing credentials into a spoof site.

Pharming attackers may use the data they harvest in a number of ways:

  • To sell on the dark web (the black market of the internet)
  • To make fraudulent transactions via identity theft
  • To steal further data, using details to convince a third party to trust their impersonation and reveal further confidential data
  • To hack into company or personal accounts and launder money to their accounts


How does a pharming attack work?

Because it’s a complex hacking technique, pharming can happen in a few different ways. In each of them, the perpetrators gain access to a device or its network and exploit the human on the other end.

Here are two of the ways that pharming can work:

  • Attacking host file
  • Attacking DNS server

Attacking host file

Host files are the part of a computer’s operating system that manually checks the URL you’ve typed and maps it to the correct IP address.

When cybercriminals attack host files, they corrupt them by spreading malware through the network or the device. This typically happens through business email compromise (BEC), with a malicious link. Once clicked, this code changes the host file and meddles with the data, messing up the entire mapping process. This is the phishing part of pharming.

It means that the victim is automatically redirected to a different IP address, often one that the perpetrators have spoofed to look exactly like the legitimate site. From here, the unknowing victims will input their login credentials as usual and the hackers on the other side automatically harvest that data. This is the farming side of pharming.

Attacking DNS server

DNS stands for domain name systems, and these servers also translate URLs into IP addresses. But unlike host files, DNS servers contain huge databases to automatically complete this process, instead of relying on an individual device to manually do this.

When DNS servers are attacked, it means that hackers can either install malware onto the DNS server itself, or on one of the devices within the network. Again, this typically happens with a phishing email that contains a malicious link, downloading spyware once clicked.

Similarly, the user is redirected to a spam site and can end up typing in their personal information for the cyberattackers to use. Or, they might end up transferring funds straight from their bank account in exchange for fake products that will never arrive.

DNS attacks are much more dangerous than host file corruption, because as soon as one is poisoned, it can affect other servers. Just like how you can’t use antibiotics to treat a viral infection, anti-malware programs are much less effective at preventing this type of pharming attack.


What are some examples of real-life pharming attacks?

Although it’s a complex and technical cybersecurity threat, there are plenty of notable pharming accounts that have taken place since the internet first began. Here are two of the most famous:

  1. Operation Ghost Click
  2. Venezuelan Charity Attack

Operation Ghost Click

Operation Ghost Click was the name of a 2009-2011 FBI operation into a pharming ring. The group in question had used a malware called DNSChanger to infect millions of computers in over 100 countries (including NASA’s network). They worked by faking internet advertising banners, which when clicked, redirected victims to fake sites without their knowledge.

When the victims input their details to make a purchase, the money was captured by the group instead. The six members of the ring who were convicted made over $14 million during their pharming operation.

Venezuelan Charity Attack

Only a few years ago in 2019, another pharming attack made the news. This time, the attacker stole data from those attempting to donate to victims of the Venezuelan crisis. It was one of the most severe corporate fraud attacks, because this hack damaged the reputation of the charity itself.

One charity attempted to make it easy for their patrons to regularly donate to the cause. They did this by allowing users of their website to set up an account, where they could quickly donate without having to log personal information every time. The account creation form included the collection of information such as:

  • Name
  • Address
  • Phone number
  • Personal identification number

While the theory behind the idea was great, a hacker took advantage. The perpetrator spoofed the site within days and managed to use the same IP address, making it impossible for computer DNS systems to tell the difference. Containing the same form as the original site, it meant that the pharmer collected the personal data of millions to either be sold on or used for identity theft purposes.


What is the difference between pharming and phishing?

Pharming and phishing are sometimes used interchangeably, but there is a hierarchy between the two terms because pharming is actually a type of phishing.

Pharming perpetrators typically target a large group of victims, and use a “spray and pray” approach. That’s because the attackers can’t be sure who will land on their website, as once a computer infection makes it through the anti-virus barriers, it could spread.

Instead, phishing perpetrators typically have their target in mind. In the case of spear phishing or whaling, lots of research is done to target this specific victim in order to make the entire ruse more convincing.

Moreover, pharming uses highly-technical hacking skills to poison a DNS server or corrupt host files, for example. Instead, phishing relies on social engineering techniques to scam the victim with psychology.

Phishing could be perpetrated through the email channels, but there is also smishing (via text message) and vishing (through fake voice calls). Instead, pharming is always done over the computer network first, and may also include an email to snare the victim.

Pharming Phishing
Targets large groups of potential victims Targets specific small groups or individual victims
Uses highly-complex techniques such as hacking to corrupt devices and networks Relies on social engineering techniques to convince the victim to give over their details
Requires perpetrators to create an almost identical website to the legitimate site they are spoofing Legitimacy is based on the research and information they know about the third party they are impersonating
Carried out via computer network Carried out by email channels, text or calls


How can you detect a pharming attack?

Detecting a pharming attack can be very difficult, especially if it’s an attack on the DNS server. But with strong antivirus software, some attacks can be stopped before they even enter your system.

Moreover, relying on a well-known DNS server is likely to help against pharmers, because those managing the servers can detect and block suspicious activity before it becomes harmful.

Finally, you might be able to detect a pharming attack by relying on your own eyes. Does a website look suspicious? Or too good to be true? By relying on your instincts when it comes to shady sites, you can quickly and safely exit before the hackers gain access to any of your information.


How can you prevent pharming attacks?

Prevention of pharming attacks is not as difficult as detection, because maintaining good practices makes it harder for cyber attackers to get through. These good practices include not re-using passwords across accounts, and ensuring that any URLs visited are labeled HTTPS instead of HTTP, as they are far more secure.

Moreover, two-factor authentication methods can help verify the identity of your employees and are incredibly hard for attackers to bypass. In some industries, this is a regulatory requirement, but even if you’re not working in a compliance-based environment, it’s a strong practice to follow.

Finally, you can prevent any of the financial effects of falling victim to pharming with Trustpair. We continuously validate the details of any payments before they leave your account.

And, we block payments to any suspicious or unknown parties automatically, protecting your finances even if your business has been infiltrated by a pharming attack. It means that if scammers manage to infiltrate your systems thanks to pharming – by getting employee logins for example – they won’t be able to transfer funds to themselves.

Get your bespoke Trustpair demo and experience true protection from fraudsters.


In Summary:

Pharming is a technique that aims to get hold of sensitive information by redirecting victims to fake websites. The attackers target computer network elements, such as host files and DNS servers to bypass security certificates and fool targets into typing in their data. Protect against phishing with antivirus software, security awareness and Trustpair’s automated account validation platform.


Pharming is one of the biggest threats to businesses today, and it refers to a type of scam that exposes a computer system’s vulnerabilities. Unauthorized cyber attackers bypass encryption measures, spoof legitimate sites and redirect victims to these sites with BEC.

Because they look exactly like the real websites, victims have no reason to doubt and put their login details as usual. This causes a data breach since the scammers then capture these individual details to use as they please.

Pharming is a technical attack on computer systems, whereas phishing relies more on social engineering to acquire the victim’s details. Both require security awareness and other defenses to protect against.

A huge pharming attack happened in 2021, involving over 50 banks. Over three days, more than 1000 computers were targeted, with a separate spoofed website for every one of the banks. This was a sophisticated attack, caused by an initial email with a Trojan, and led to tons of personal data being transferred to hackers.

Manage the risks related to corporate treasury.

Receive our latest news

Subscribe to the Trustpair Newsletter and receive advice every week…
Thanks ! Your subscription to the Trustpair newsletter has been taken into account.

        By clicking on “Subscribe”, you agree to receive the Trustpair newsletter to be informed of news or important information about our services. By subscribing, you agree to our Privacy Policy.


Related Articles