What is Pharming?

What Is a Pharming Attack?

The term, “pharming” comes from two concepts: phishing and farming. It is a type of social engineering cyberattack that manipulates a website’s traffic in order to take possession of a user’s private information or install malware on their computers. To do this, pharmers create a bogus website which is a replica of the target site, and use multiple methods to redirect users to the fake site.

Cybercriminals typically create fake replicas of banks and ecommerce websites to collect usernames, passwords, social security numbers, and credit/debit card details.


Users can sign code with eSigner’s Extended Validation Code Signing capability. Click below for more info.


How Is Pharming Done?

Pharming takes advantage of the foundation of internet browsing—specifically, that the series of letters that compose an internet address (xyz.example.com), needs to be converted into an IP address by a DNS (domain name system) server for the connection to carry on.

Pharming is done by changing the host settings on the victim’s system or manipulating a DNS server. This is accomplished in two ways:

Causing Changes to the Local Hosts File

The local hosts file refers to a directory of IP addresses and domain names that is kept on a user’s local computer. For example, on macOS and Linux systems, this file is located at /etc/hosts. Pharming happens when cybercriminals invade the victim’s system and alter the hosts file to redirect individuals to the phony website every time they attempt to access the legitimate one. Cybercriminals may be highly skilled at making the bogus website appear very similar to the real one. Victims are therefore caught unaware and divulge their login credentials or financial information to the scammers.

Cyberattackers usually use phishing techniques to send malware to the victim’s computer, causing changes to their hosts file. The pharmer can deploy an email containing malicious code and when the victim clicks it, malware is downloaded and installed on their computer.    

Domain Name System (DNS) Spoofing

The other major method pharmers use to redirect traffic is through exploitation of a DNS server’s weaknesses and spoofing its responses to DNS requests. The effect is that the victim is diverted to a fake website controlled by the pharmer, even if the correct address is visible in the browser’s address bar. The bogus websites are then used to harvest financial details and confidential information from the victim, and may also install viruses on the victim’s system.

What makes DNS spoofing more threatening than hosts file changes is that it does not have to depend on the victim’s actions and has potentially worse consequences because DNS servers respond to the requests of many users, and may “poison” other DNS servers with the pharmer’s changes to a DNS record. Also, with DNS spoofing, the victim may have a computer that is free from viruses but could still get attacked by pharmers. Even if hosts take precautions like typing the website address manually or regularly using trusted bookmarks, these are still not enough to combat DNS spoofing, because the malicious redirect occurs after the connection request is sent by the computer.

When pharmers steal their victims’ financial and personal details, they then may use them for fraud or sell them on the dark web.

How is Pharming Different from Phishing?

Despite there being similar desired outcomes between pharming and phishing, the methods used differ. Pharming is more bent on attacking the DNS system whereas phishing is more focused on the manipulation of users. Though, as was explained earlier, phishing may hold an important function in the execution of pharming.


As we’ve mentioned before, phishing is a type of cyber fraud where attackers deploy emails pretending to come from trustworthy organizations like banks and credit card companies. The emails carry malicious links which, when clicked, take the victim to a bogus website. Because the fake website looks deceptively similar to the legitimate one, the victims are tricked into entering their login credentials, card details, and other sensitive information. 


Pharming may be considered a type of phishing minus the seduction factor. This means that it doesn’t need the victim to click a malicious link to take him/her to a fake website. Instead, the victim is immediately sent there by a bogus DNS record or hosts file entry. Pharming may therefore be characterized as “phishing without a lure.”

Historical Cases of Pharming

Pharming has been used many times worldwide to attack individual victims and organizations:

In 2007, at least 50 financial organizations in the United States, Europe, and Asia-Pacific were attacked by pharmers. Their strategy was to make a fake website for each target and then they placed malicious code on each one of them. The fake websites forced the victims’ computers to download Trojan horse malware, which subsequently downloaded five additional files from a Russian server. Every time users, whose computers were attacked by the malware, tried to access any of the financial companies, they were redirected to the fake website that harvested their usernames and passwords.

In 2015, in Brazil, pharmers deployed phishing emails to users of UTStarcom and TR-Link home routers, pretending to represent Brazil’s biggest telecom company. The emails contained malicious links which, upon being clicked, sent the victim to a server that attacked their router.

The pharmers then took advantage of cross-site request forgery (CSRF) vulnerabilities in the victims’ home routers to access the routers’ administrator consoles.

Once the pharmers infiltrated the admin control panel of the victims’ router, they then put in the default username and password. If this worked, they proceeded to change the router’s setting to their own DNS server.

In 2016, website security service provider Sucuri, discovered a pharming case where hackers redirected victims to websites that employed NameCheap’s FreeDNS via changed DNS settings.

In 2019, Venezuela was in need of humanitarian aid. President Juan Guadio asked thousands of volunteers to submit their personal details to a website so that they would receive instructions on how to help international organizations deliver assistance. The website required volunteers to state information including their full name, personal ID, cell phone number, and address. 

Five days after the launch of this website, a fake website appeared with a very similar domain and structure.  The two domains, with different owners, were registered in Venezuela to just one IP address which belonged to the hackers. Therefore, whether the volunteers accessed the legitimate or fake domain name, their personal information still ended up being introduced into the fake website.

How Do You Know if You’re a Victim of Pharming?

Any of the following issues may indicate that you have been a victim of pharming:

  1. Passwords to your online banking changed without you initiating the action.
  2. There are messages or posts on your Facebook account that you did not create.
  3. Unexplained billings have been made to your credit card.
  4. Strange applications are installed on your computer which you neither downloaded nor installed.
  5.  Your social media accounts have sent friend requests which you did not make.

How To Protect Yourself from Pharming

The strategies outlined below are considered best practices in preventing a pharming atttack:

Use a trusted DNS server

Consider switching to a specialized DNS service because this can provide more protection against DNS spoofing.

Double-Check the website URL for typographical errors

Pharmers modify the name of the targeted website by changing one or more characters. So, for instance www.Onebank.example.com will become www.0nebank.example.com. 

Only click links that have a legitimate SSL certificate

An SSL certificate provides assurance that the website you are visiting is secure. You will know if the website has an SSL certificate if its link starts with HTTPS. If you see that the website starts with just HTTP, there’s no assurance that it is safe and you should not divulge any private information to it.

Turn on Multi-Factor Authentication for your Online Accounts

Multi-factor authentication provides an extra layer of protection in case your login details are compromised. Examples would include SMS security codes, Google Authenticator, voice recognition, and fingerprint sensing.

Sign Emails with S/MIME Certificates

S/MIME (Secure/Multipurpose Internet Mail Extension) Emails use digital signing which assures recipients that the email really came from you.

Thank you for choosing SSL.com! If you have any questions, please contact us by email at Support@SSL.com, call 1-877-SSL-SECURE, or just click the chat link at the bottom right of this page.

Subscribe to SSL.com’s Newsletter

Don’t miss new articles and updates from SSL.com

We’d love your feedback

Take our survey and let us know your thoughts on your recent purchase.