What Is Pharming & DNS Poisoning

Like everybody, you use the Internet everyday. Within seconds, you can access countless services, most of which are free. Or so we think.

Behind those companies, there’re powerful servers coordinating user requests. People don’t really know how the Internet works, but you know, nobody cares as long as it does.

When you type in a domain, these servers reply with an address that leads you to that side. If someone manipulated the provider, people would write the domain and appear on another page!

That’s like typing nicebank.com and appearing on Craigslist with the Amazon URL. Despite the non-sense, your computer doesn’t show any error messages, and the local DNS looks fine too. For computers, it remains invisible.

What if the DNS server sends you to a fraudulent website, which looks exactly like the one you typed? 


Of course, DNSs aren’t easy to trick. The problem is, you won’t know when a pharming hacker attacks. 

What Is Pharming?

What Is Pharming

Usually scammers would send you to phishing websites to steal your information. But anyone who heard of them once will always be on the lookout and spot the red flags sooner: unsuspected emails, misspellings, wrong URLs, and broken links.

To fix those flows, a hacker needs to manipulate the DNS server to send the signals he wants. After the “DNS poisoning,” whoever searches for the domain will land on the scammer’s page with the trusted domain name.

Pharming refers to the DNS manipulation tactics used for large-scale identity theft. A hacker will program some bots to constantly send wrong entries to a local server, slowing its response until it crashes. 

If the domain asked isn’t on cache, the local DNS connects to an authoritative master DNS to find the right address. If the hacker overwhelms the server, the local DNS could cache the wrong data.

Such strategies require expert hacking skills and timing. Servers refresh periodically to update the addresses. They can also temporarily block users who make too many suspicious requests.

If a hacker manages to send you to their site, you won’t even notice it. You log in like you normally do, then find out you lost your identity.

That means, unfortunately, that your server can get you into trouble for mistakes you didn’t make. And because hackers attack large groups at once, a successful attack can cause millions worth of losses. The reward couldn’t be more encouraging.

Pharming VS Phishing: Which One Is Worse?

Pharming VS Phishing Which One Is Worse

Pharming or phishing? Different tactics, same purposes. Hopefully, you fall for none of both. 

Although it’s not an accurate definition, you see pharming as an improved version of phishing for the purpose of identity theft. It may not be as common, but the threat is critical. Understanding differences will show what pharming looks like.

#1 A Matter Of Skill

What does it take to cause a phishing attack? You get a phishing website and send an email. The end. 

But spotting these scams is just as easy as creating them. That is why fraudsters need tools to send mass emails for such low conversion rates.

Other minor skills include:

  • Design to replicate the website
  • Grammar to remove the misspellings red flag
  • Persuasion to get emails clicked.

Even with the right skills, you can’t guarantee a pharming attack will be successful. Even if you make it, it only lasts a few minutes (hours at most) before the server resolves it.

Also, check the confidence tricks scammers use to win you over.

#2 Detection

Detecting pharming has nothing to do with the red flags of phishing. Unfortunately, you find out about the poisoned DNS once it’s too late: you already lost your identity.

That’s because there are no red flags other than a few differences, such as HTTPS instead of HTTP. But pharming only remains invisible briefly before the servers reboot. 

Yet, that’s enough time to infect several computers around the world.

#3 Prevention

For phishing attacks, you can quickly stop the threat by updating your security. In pharming, no matter what you change, the hacker can steal your data over again as long as you return to the corrupted server.

You may wonder: “how can I prevent a threat I can’t see? If someone poisons my DNS, how do I protect?” Big problem.

Refresh your cache? Choose a better DNS? Avoid suspecting websites? There’s no guaranteed way to get rid of hackers. With the right reward, anyone can break into any server. Pharming targets a server, and phishing targets a real person. 

You won’t enter data on what you know is a phishing site. With pharming, you won’t know if it’s legit.

How Pharming Works: Step By Step

How Pharming Works Step By Step

Although hard to understand, hackers don’t do magic: they’ll likely use DDoS tactics.

Distributed Denial Of Service attacks disable/misuse the server, affecting anybody who connects to it. Hackers would flood them with information until they crash, then add their fraudulent addresses to the server cache:

  1. The request. The user types a website name. A local server receives the domain and returns the website direction. If the name doesn’t exist in the cache, the local server connects to an authoritative DNS server to check it and get the address. This task slowers the local server response.
  2. The crash. The hacker overwhelms the server with wrong responses, faster than it returns NXDomain errors. The master server response gets lost among the countless fraudulent responses invading the local server.
  3. The poisoned DNS. A local cache registers website addresses to save connection time. If the request isn’t cached, or they request it too many times, the local server will add/overwrite that address. Unless the local server updates its cache, the address will keep pointing to the wrong site.
  4. The mass identity theft. Imagine the fraudster targets a high-traffic banking website. The thousands who logged in with the poisoned DNS would get their accounts stolen. By that time, the local server will have recovered, detected, and blocked the problematic user.

Can You Prevent Pharming?

Can You Prevent Pharming

Pharming doesn’t happen often, but the few times it does can cost websites a fortune. Due to the intolerable risks, multiple companies are looking for permanent solutions to this DNS attack. 

The next time you visit a trusted platform, how do you know you’re safe from pharming?

#1 Dynamic passwords

If you fall for phishing, your accounts will be safe if you change passwords before the thief logs in. Thus, the more you update, the better.

Pharming can happen anywhere anytime. It’s too tedious to change passwords every day or hour for a threat that may not exist.

What should we do?

Second-Factor Authentication offers the best answer. You enter your account entering a password plus an extra security layer:

  • Facial Recognition
  • Tap “Yes” on your trusted device
  • Security questions (phishing sites can’t get these)
  • Six-Digit Numeric Password

This six-digit code updates every thirty seconds and is exclusive for your device. As long as you protect your device from malware, your accounts remain safe. You could give your password to everyone, and they still couldn’t log in because of the 2FA code.

Check our Guide To Prevent Identity Theft

#2 Malware protection

Cybersecurity has become tighter. One exception— trusted devices— skips all verification steps to access apps faster. Unfortunately, that trust creates data breaches for those who steal or hack your phone.

Remember that hackers have plenty of motivation to do so. They can pay others to promote malware programs disguised as antiviruses. After a pharming attack, hackers spy on your trusted devices or control them remotely to share data.

Avoid getting into problematic websites. If your computer warns the site or the download is dangerous, don’t ignore the alert. Have antivirus programs to check your device status from time to time. 

What Is Malware And How To Remove It?

#3 Don’t proceed if there’re errors

After you type the domain, you can find these messages:

  • Your connection isn’t private/secure. 
  • Deceptive site ahead. Go back to safety.
  • The site’s security certificate has a problem/doesn’t match with the website.

Here’s a bright red flag to not visit the site, especially if you never visited it before. If a reputable site shows you these errors, listen to the message, and don’t continue. You can wait a few hours until the DNS server updates and try again.

#4 Detection software

For phishing sites, your browser detects them before you land on the page. If the DNS server doesn’t work, however, your device won’t recognize the threat.

You can still install extensions to spot fake websites automatically. Spoofstick, for example, will check for URL matches and the SSL certificate. If something goes wrong, you get a clear warning to leave the site.

Other extensions show you the website analysis, so you know what you’ll find before you click it on the search pages. If you find suspicious behavior, like too many redirects, go back and don’t click.

Here’s our Guide To Prevent Phishing Attacks

#5 Private browsing

People leave traces after they search online, which hackers can use to break into their accounts. If you could make browsing invisible, you’d be exponentially more protected.

Here are three levels of protection:

1. Private browsing (aka Incognito). You leave no history after using the browser, and your passwords don’t save. However, private browsing only keeps it invisible to the device user. It helps if someone else uses your device, but your Internet provider can still read it.

2. Virtual Private Network. VPN companies promise to make browsing safer. It will hide your IP location and use the one belonging to the VPN servers. As you browse, the program encrypts the information. The question is: what if someone breaks into their servers? What if the provider sells my data to advertisers? You won’t know it.

3. Decentralized VPN Providers. A safer option involves dynamic providers. Orchid and Tachyon offer pay-per-use VPN providers for a better connection. 

With these networks, you won’t need to trust all your data to some 3rd party.

Wrapping Up

Wrapping Up 5

Nothing is more dangerous than a threat you can’t detect or prevent. If you suspect a pharming attack, try updating/clearing your local DNS cache to put things back to normal. If the hacker has stopped poisoning the DNS, the local server will connect to the master server and get the real address.

To avoid malware installation, update cybersecurity often. To prevent DNS poisoning, trust the right VPN and ISP.

Share it
Notify of

Inline Feedbacks
View all comments