Phishing & Social Engineering
What is Pharming?
Pharming is a cyberattack that redirects a website's traffic to a fraudulent replica by installing malicious code on a victim's computer or compromising DNS infrastructure.
Pharming is a cyberattack that redirects a website's traffic to a fraudulent replica by installing malicious code on a victim's computer or compromising DNS infrastructure. According to Fortinet's 2025 definition, pharming is a cyberattack intended to redirect a website's traffic to another, fake site by installing a malicious program on the victim's computer in order to gain access to it. The term combines farming and phishing to describe the practice of directing a mass of users to a fraudulent site without requiring user interaction, unlike phishing which typically requires clicking a malicious link. Mimecast defines pharming in 2025 as a specialized phishing variant that leverages malware or DNS exploitation rather than email social engineering.
How does pharming work?
Pharming attacks operate through two primary technical mechanisms that redirect users from legitimate websites to attacker-controlled fraudulent replicas.
How does malware-based pharming redirect users?
Initial compromise delivers malware through malicious email attachments, compromised software downloads, drive-by downloads from malicious websites, USB-based malware distribution, and Trojan horse infections.
Hosts file injection executes when the malware modifies the victim's local hosts file, typically located at C:\Windows\System32\drivers\etc\hosts on Windows or /etc/hosts on Unix-like systems, to map legitimate domain names to attacker-controlled IP addresses.
DNS bypass occurs because modifying the hosts file short-circuits normal DNS resolution, redirecting the user to the fake website before the system queries legitimate DNS servers.
Credential harvesting happens when the victim attempts to access their bank or email account and is redirected to a counterfeit website that appears legitimate, where they enter credentials that the attacker captures.
Post-compromise actions enable attackers to log all subsequent traffic from the compromised host, install additional malware or backdoors, monitor the victim's online activities, and steal payment information in real-time.
How does DNS cache poisoning enable pharming?
DNS vulnerability exploitation targets security flaws in DNS server software to inject malicious records into the DNS cache according to TechTarget's 2025 analysis.
Cache corruption compromises a DNS resolver at ISP-level or organizational DNS servers, where attackers poison the cache with fraudulent DNS responses mapping legitimate domains to attacker IP addresses.
Widespread impact affects all users who query the compromised DNS server, potentially impacting thousands or millions of users simultaneously, unlike host-file pharming which affects one computer.
Amplification effect redirects traffic from legitimate sites to malicious infrastructure for the duration of the DNS TTL (Time to Live), typically hours or days, according to SSL.com's 2025 analysis.
No user interaction required means victims are automatically redirected without clicking links or taking action, making this variant highly effective.
Technical execution leverages DNS transaction ID prediction, UDP spoofing, or DNS resolver vulnerabilities to inject poisoned responses into caches according to Keepnet Labs' 2025 documentation.
How does pharming differ from other attacks?
Attack Type | Vector | Target Level | User Interaction | Detection Difficulty | Impact Scope |
|---|---|---|---|---|---|
Pharming (Malware) | Malware modifying hosts file | Individual device | None | High (local malware) | Single user |
Pharming (DNS) | DNS cache poisoning | DNS server | None | Very High (at resolver) | Thousands-millions |
Phishing | Email + malicious link | Individual user | Required (click link) | Medium | Depends on campaign |
Man-in-the-Middle (MITM) | Network interception | Network traffic | None | High (requires network access) | Users on compromised network |
Credential Stuffing | Automated password testing | User accounts | None (automated) | Low (algorithmic detection) | Multiple services, pre-compromised creds |
Pharming differs from phishing by not requiring user interaction—no link clicking or email opening is necessary. Unlike MITM attacks which intercept traffic in-flight, pharming redirects users before their connection begins. Unlike credential stuffing which tests known compromised passwords, pharming creates fraudulent interfaces to capture credentials in real-time.
Why does pharming matter?
Pharming represents a particularly dangerous attack vector because it exploits infrastructure trust rather than user behavior, making detection and prevention challenging.
Pharming incidents and prevalence include the most famous pharming attack in 2007 targeting approximately 50 banks worldwide according to Wikipedia and Fortinet's 2025 historical data. Incident reports on pharming as a distinct attack vector are relatively limited in 2024-2025 threat intelligence, suggesting pharming may be tracked as a subset of phishing rather than separately. ChatGPT malware distribution via fake browser plugins deployed malware to over 2,000 users per day in March 2023, with some leveraging pharming techniques according to Social Engineering Statistics 2026.
Broader phishing context shows that phishing was the most reported cybercrime in 2024 with 193,407 complaints representing 22.5% of all internet crimes according to AAG IT Support's 2025 data. Phishing attacks increased 13% year-over-year in 2024 as documented by Parachute in 2025. Average cost per phishing breach reaches $4.88 million according to IBM's Cost of a Data Breach Report 2024.
Financial impact from pharming losses is not separately reported but tracked within broader phishing and social engineering losses. Phishing-related losses totaled $70 million in 2024 according to FBI IC3 2024 data. Bank-targeted pharming incidents historically resulted in losses exceeding $100,000+ per organization based on historical 2007 data from Wikipedia.
Industry observation from LRQA and Keepnet Labs in 2025 notes that pharming remains a significant but often overlooked threat due to its technical complexity and relative rarity compared to phishing. DNS-based pharming is considered more dangerous than malware-based variants due to potential for mass exploitation.
What are the limitations of pharming?
Despite the effectiveness of pharming, several technical and operational weaknesses create defense opportunities.
Host file modification detection is possible because malware-based pharming requires installing malware on the target device, creating detection opportunities through Endpoint Detection and Response systems identifying unauthorized hosts file modifications, file integrity monitoring tools alerting on changes to critical system files, antivirus software detecting malware components delivering the hosts file modification, and users manually inspecting the hosts file for suspicious entries.
DNSSEC protection enables organizations and ISPs implementing DNSSEC (DNS Security Extensions) to prevent DNS cache poisoning by validating cryptographic signatures on DNS responses according to SSL.com's 2025 analysis. DNSSEC adoption, while increasing, remains incomplete globally.
Certificate validation through HTTPS with SSL/TLS certificates creates observable mismatches where fraudulent websites typically lack valid certificates or use self-signed certs, modern browsers display warnings for certificate mismatches, certificate pinning in enterprise applications prevents use of forged certificates according to Zimperium's 2025 documentation, and users accessing the legitimate website first receive a valid certificate that cannot be spoofed by local hosts file changes alone.
DNS query monitoring allows organizations to detect DNS cache poisoning through DNS query logging and analysis for anomalies, monitoring responses that do not match the query, detecting multiple clients receiving identical poisoned responses, and implementing secure DNS resolvers such as Google DNS, Cloudflare, and Quad9.
Infrastructure constraints require attackers to either maintain compromised DNS infrastructure that is detectable through threat intelligence, compromise legitimate DNS servers which have limited availability and high risk of detection, or create fake websites with hosting costs and infrastructure expenses.
TTL limitations mean DNS cache poisoning effects are time-limited to the TTL (Time to Live) value set on DNS records, and once the cache expires, legitimate responses are restored.
User verification behavior enables users accessing frequently-used sites to notice unusual site appearance or functionality changes, missing security indicators such as HTTPS or green lock icon, different loading behavior or response times, and unexpected login prompts on previously cached credentials.
How can organizations defend against pharming?
Defending against pharming requires DNS security, endpoint protection, and user education that addresses both malware-based and DNS-based attack vectors.
How do DNS security controls prevent pharming?
DNSSEC implementation deploys DNS Security Extensions to add cryptographic authentication to DNS responses, ensuring integrity and authenticity according to SSL.com's 2025 guidance. DNSSEC is the primary defense against DNS cache poisoning.
Secure DNS resolvers configure systems to use reputable, security-hardened DNS resolvers including Cloudflare's 1.1.1.1 with malware filtering options, Google Public DNS at 8.8.8.8, Quad9 with threat intelligence integration, and OpenDNS with content filtering.
DNS response validation implements systems that validate DNS responses against known-good values, monitor for unexpected DNS redirects or NXDOMAIN responses, and alert on DNS response anomalies.
Recursive resolver hardening for organizations operating internal DNS includes keeping DNS software fully patched, implementing rate limiting to prevent DNS amplification, restricting DNS queries to authorized users, and enabling response validation and source port randomization.
How do endpoint security controls mitigate pharming?
HTTPS and certificate validation ensures all sensitive sites including banking, email, and corporate use HTTPS according to LRQA's 2025 recommendations. Organizations should enforce HTTPS-only policies in browsers and applications, implement certificate pinning for critical applications to prevent forged certificate acceptance, and educate users to verify valid SSL certificates indicated by green lock icon.
Malware prevention deploys endpoint detection and response solutions that detect hosts file modifications, uses file integrity monitoring to alert on unauthorized system file changes, maintains updated antivirus and anti-malware signatures, and blocks execution of unsigned scripts in hosts file locations.
Host file protection implements endpoint protection that monitors the hosts file according to Keepnet Labs' 2025 guidance, uses access controls to prevent modification of system files, configures Windows audit policies to log hosts file modifications, and uses application whitelisting to prevent unauthorized system tool execution.
Local privilege elevation prevention enforces principle of least privilege where users should not have admin rights, requires UAC (User Account Control) elevation for hosts file modifications, and disables autorun features that execute malware automatically.
What network and user education controls prevent pharming?
DNS query monitoring monitors DNS traffic for unusual patterns or unexpected redirects according to LRQA's 2025 recommendations, alerts on DNS queries for newly registered domains, implements DNS sinkholing for known malicious domains, and logs all DNS queries for threat intelligence.
Network segmentation isolates critical systems including financial and administrative on segmented networks with restricted internet access.
Phishing and pharming training educates users to verify website legitimacy before entering credentials according to Zimperium's 2025 guidance, trains users to check for HTTPS and valid SSL certificates, teaches users to recognize pharming indicators such as unexpected login prompts and unusual site appearance, and conducts regular phishing simulations to test employee awareness.
Credential verification procedures encourage users to manually type URLs in the address bar rather than relying on bookmarks, implement bookmark managers with HTTPS verification, and train users to detect unusual website behavior.
Malware hygiene training educates users on risks of downloading files from untrusted sources, email attachment risks, and USB security and safe file sharing practices.
What organizational controls address pharming?
Multi-factor authentication implements MFA on banking, email, and sensitive accounts to limit damage from compromised credentials even if pharming succeeds according to LRQA's 2025 recommendations.
Incident response establishes procedures for rapid detection and isolation of compromised endpoints with hosts file modification, detection of DNS cache poisoning across network, credential revocation and password reset for affected users, and malware remediation and system restoration.
FAQs
How is pharming different from phishing?
Phishing requires user interaction where the attacker sends a malicious link via email and the victim must click it according to Fortinet's 2025 comparison. Pharming requires no user interaction because the attacker redirects users automatically by modifying their hosts file or poisoning DNS. Phishing affects individual email users while pharming via DNS cache poisoning can affect thousands of users simultaneously. This is why pharming is considered more dangerous than traditional phishing despite being less common.
How do attackers redirect users in a pharming attack?
Attackers use two main methods according to Mimecast and SSL.com's 2025 documentation. Method one is malware-based: install malware that modifies the victim's hosts file, mapping legitimate domains to fake IP addresses. Method two is DNS-based: compromise DNS servers and poison the cache with fraudulent DNS responses. DNS-based pharming affects all users querying the compromised DNS server, while hosts file pharming affects only the compromised computer. Both methods redirect users to fraudulent websites that capture credentials.
How can users detect that they have been redirected to a fake website in a pharming attack?
Users should watch for missing or invalid SSL certificates indicated by red warning in browser, http:// instead of https:// in the address bar, unusual website appearance, functionality, or behavior, unexpected login prompts on previously cached sites, and unusual error messages or loading delays according to LRQA's 2025 guidance. Checking for an SSL certificate icon and verifying the domain name in the address bar are critical detection methods.
Can HTTPS and SSL certificates prevent pharming attacks?
HTTPS prevents attackers from intercepting credentials in-transit but cannot completely prevent pharming according to SSL.com's 2025 analysis. Malware-based pharming redirects users to a fake website before they connect, so the attacker can use an SSL certificate on the fake site. However, forged certificates will trigger browser warnings. HTTPS does prevent attackers from stealing credentials if they only redirect to HTTP sites. SSL.com recommends that users verify certificates match the expected domain and that organizations implement certificate pinning for critical applications.
What is DNSSEC and how does it prevent pharming?
DNSSEC (DNS Security Extensions) adds cryptographic authentication to DNS responses, ensuring they have not been modified according to SSL.com's 2025 documentation. When enabled, DNS resolvers verify the digital signature on DNS records before using them. This prevents attackers from poisoning the DNS cache with fraudulent responses. DNSSEC is the most effective defense against DNS-based pharming, but adoption remains incomplete globally. Users can enable DNSSEC on personal devices, and organizations should implement it on internal DNS servers.
