Pharming is a cyberattack that redirects users to fraudulent websites without requiring them to click a malicious link. Unlike phishing, which relies on tricking a user into clicking something, pharming manipulates the infrastructure that resolves website addresses — DNS (Domain Name System) or the local hosts file on a device — so that when a user types a legitimate web address, they are taken to an attacker-controlled fake version of that site instead.
The distinction from phishing matters: phishing requires user error (clicking a suspicious link). Pharming works even when the user does everything correctly — typing the correct address directly into the browser — because the attack has altered the resolution process that connects that address to a server.
For businesses with concerns about how their employees or customers interact with their web presence, pharming is part of the attack surface that cybersecurity services should address at both the infrastructure and endpoint level.
Overview
Pharming works through two primary mechanisms: DNS poisoning (corrupting the DNS servers that resolve domain names to IP addresses) and hosts file manipulation (modifying the file on a device that maps domain names to IPs locally). Both produce the same outcome: the user’s browser goes to the attacker’s server instead of the legitimate one, potentially exposing credentials entered on the fake site.
- DNS poisoning: corrupts the DNS resolution infrastructure to redirect traffic at scale
- Hosts file manipulation: modifies the target device’s local domain mapping
- The user sees the correct URL typed — no suspicious link to avoid
- Credential harvesting is the primary objective of most pharming attacks
- DNSSEC, HTTPS verification, and endpoint protection are the primary defenses
The 5 Why’s
- Why is pharming specifically harder to detect than phishing for most users? Because the trigger in phishing — a suspicious link — is visible and potentially recognizable. In pharming, the user types the address themselves. There is no suspicious element to recognize in the action they take. The only visible indicators may be subtle: a missing HTTPS lock icon, a certificate warning, slight differences in the site’s visual design. Most users do not notice these indicators.
- Why does DNS infrastructure specifically matter for pharming prevention? Because DNS is the directory that translates domain names (website addresses) into IP addresses (server locations). When DNS is compromised — through cache poisoning, DNS server compromise, or manipulation of DNS records — the translation is corrupted at scale, affecting every user whose DNS queries go through the compromised resolver. DNS security (DNSSEC) provides cryptographic authentication of DNS responses to prevent this manipulation.
- Why does HTTPS specifically protect against some pharming scenarios? Because HTTPS certificates are domain-specific. A valid HTTPS certificate for a legitimate site cannot be used for an attacker’s fake site at a different IP address — the certificate would not match. Most browsers display certificate warnings when certificate verification fails. Pharming attacks that redirect to HTTP destinations or to sites with invalid certificates are detectable through HTTPS verification — which is why modern pharming attacks often pair with certificate acquisition or attack browsers that have suppressed certificate warnings.
- Why is endpoint protection relevant to pharming defense? Because hosts file manipulation requires compromising the device. Malware on a device can modify the hosts file to redirect specific domain names to attacker-controlled IPs. Endpoint protection that detects and prevents hosts file modification, combined with malware prevention, addresses this attack vector at the device level.
- Why do businesses need to be concerned about pharming against their own domain? Because pharming against a business’s domain harms its customers and its reputation even when the business’s own systems are not directly compromised. If an attacker redirects customers who type a business’s address to a fake login page, the business is not breached — but its customers are harvested, and the trust relationship between the business and its customers is damaged.
How Pharming Works in Practice
DNS Cache Poisoning
DNS resolvers cache responses to speed up repeated queries. Cache poisoning attacks inject fraudulent responses into a resolver’s cache, so that subsequent queries for a specific domain return the attacker’s IP address instead of the legitimate one. Every user whose queries go through the poisoned resolver is redirected until the cache expires and the legitimate entry is restored.
DNS Security Extensions (DNSSEC) provide cryptographic signatures on DNS responses, allowing resolvers to verify that responses are authentic. DNSSEC deployment by both DNS operators and resolvers closes the cache poisoning attack vector.
Router DNS Hijacking
Home routers and small business routers with default credentials or unpatched vulnerabilities can be compromised to change the DNS server settings used by devices on the network. The attacker replaces the legitimate DNS server address with their own, enabling them to redirect any domain to any destination for all devices on the network.
This attack is particularly relevant for remote workers whose home routers may not be patched or secured to the standard of corporate network equipment.
Hosts File Manipulation
The hosts file on Windows and Unix systems can map domain names to IP addresses locally, overriding DNS. Malware that modifies the hosts file can redirect specific domains — banking sites, email providers, corporate applications — to attacker-controlled servers on a device-specific basis.
Pharming Prevention
DNSSEC deployment and use of secure DNS resolvers: businesses should use DNS resolvers that support and validate DNSSEC, and where they control DNS records for their own domain, they should enable DNSSEC on those records.
Endpoint protection against hosts file modification: modern endpoint protection tools detect and prevent unauthorized modification of the hosts file and alert on unexpected changes.
HTTPS enforcement and certificate monitoring: configure browsers and systems to reject certificate errors rather than allowing bypass, and monitor for unauthorized SSL certificates issued for your domain.
Router security: business and remote work routers should use non-default credentials, have current firmware, and use organization-controlled or reputable DNS services rather than ISP-default resolvers.
Employee training: employees who know to verify the HTTPS certificate when entering credentials, and who know to report when a familiar site looks different, provide an additional detection layer for successful pharming attacks.
Final Takeaway
Pharming is a DNS and hosts file manipulation attack that redirects users to fraudulent sites without requiring them to click anything suspicious. It is harder to detect than phishing for most users and operates at the infrastructure level rather than the individual behavior level. Defense requires DNSSEC, endpoint protection, HTTPS enforcement, router security, and employee awareness — operating as a layered defense rather than any single control.
Infrastructure Security Including DNS Protection — Mindcore Technologies
Mindcore’s cybersecurity services cover DNS security, endpoint protection against hosts file manipulation, and the network security controls that address infrastructure-level attacks like pharming. Our managed IT services maintain these controls continuously.
