One of the most common ways of conducting a pharming attack is to alter the “hosts” file on the client computer (which also has server capabilities). On Windows, this file can be found in the ‘../System32/drivers/etc’ directory. This exploit ensures that a user visiting a particular site will be redirected to a forged site. They might not even realize it, for the simple reason that the browser will continue to show the URL they manually entered or clicked to view.
Attackers who implement pharming techniques will often sway users to fake sites that appear identical to legitimate ones. You can almost guess why. Imagine the kind of havoc this can wreak if a user parts ways with financial and other sensitive information, on what they believe is the legitimate website of a banking institution, Amazon shopping page, or PayPal login portal. Get the picture? The repercussions can be frightfully catastrophic.
Typically, two components are needed to carry out a pharming attack. The first one is a batch script that will automate the infiltration of a host file, corrupting it with malicious IP addresses and domain names. The second is a joiner, which is used for merging batch files with other ones to compound the effect of the attack. Anti-virus (AV) software is now sophisticated enough to spot these pharming techniques, so code obfuscators may also be used to escape detection.
Protecting Yourself Against Pharming
The most basic precaution you can take against pharming is to install software that protects against illegal changes to the computer’s host file. Modern operating systems have attempted to resolve this with built-in mechanisms that require administrator privileges to modify and save changes to the host file. That apart, it makes sense to regularly apply updates and patches to your computer’s operating system and application software.
Another thing that you can do is subscribe to free services of your Internet Service Provider (ISP) that is able to filter sites that have been blacklisted. One of the easiest ways of double checking for pharmed sites is to check the spelling of a domain name. Every so often, a fake site tries to confuse a user with a spelling that closely resembles the one their after (i.e., https://yourdomain.com vs. https://yourdomaiin.com). Both these approaches should go some distance in securing your computer or device against the threat of pharming.
Remember that you should always check a site’s SSL certificate prior to entering any sensitive information. This can be done as a screen test (by looking for the green lock icon in the address bar, then hovering over it to view the site’s name and issuing authority), or by choosing to view the certificate manually in the browser. If it turns out the site has been issued a certificate by a reputable authority, you may be safe.
The threat of pharming, which is similar to phishing but without the content that baits you to click, is a real and potentially devastating exploit in the world of cyber. It is in our best interest to take it seriously, while taking all the necessary measures to prevent falling victim to it.