Pharming is a serious and often undetected Internet security threat that can cost you thousands of dollars and ruin your credit rating.
It tricks your computer into sending you to the wrong website even when you type the right domain name into your Web browser. For example, you type in PayPal.com, but your computer takes you to a hacker’s website.
There are basically two types of pharming attacks. The first and simpler attack often comes piggyback on computer viruses. Once the virus is installed on your computer, the pharming attack manipulates a special file on your computer called the hosts file.
This file is normally used by your computer to resolve local hostnames to their real IP addresses and provides a similar functionality like a DNS server. By adding a line to this file, the attack redirects one website to another website for just your computer.
The second and more complex phishing attack focuses on the DNS settings of your local network router. It will have an impact to your whole local network (since most network routers specify a trusted DNS to your local home computers).
Attackers search for network routers in the internet which can be administrated from the outside. Once a network router is found the attacker will try to get access to the device by executing a password brute force attack on the affected administration account or by testing known router product related vulnerabilities.
After a successful infiltration the attacker will immediately modify the firmware of your network router. This firmware offers the same look & feel and functionality like your previous firmware version except for one thing. The shown DNS settings of your network router are not the one the network router is using
While most anti-virus and firewall software offer the feature to monitor your local hosts file, it is important to know that a firmware based network router phishing attack is extremely difficult to detect.
The best way to protect yourself against pharming is to not get infected with viruses in the first place. Keep your anti-virus software updated at all times and apply security patches for your operating system and installed programs on your computer as soon as they become available. Don´t install programs from untrustworthy sources. Be sure also to run regular full-disk virus scans of your computer.
Most viruses can be installed successfully because the administrator account is used for regular internet surfing activities. This was the most common root cause of the infection of my customers computers. Instead create an additional operating system user account with limited permissions for that purpose. The limited user account is under normal conditions not allowed to write to the hosts file or to change your network settings.
Always be aware that toggling between your administrator and your “limited” account is much easier and needs less time than removing a bulldog computer virus.
If the file has been set to read-only, even the administrator is not able to modify that file before the read-only flag has been removed. Remove the read-only flag only temporarily for maintenance purposes (e.g. if you want to add a new computer of your home network or if you enhance your computer security by using Spybot-Search & Destroy))
Make sure that it can be only administrated from your local network. If your router can be administrated from the internet you invite attackers to run a brute force password or vulnerability attack.
Never. I repeat never, be too lazy to change your default passwords. Those passwords can be hacked even by a complete hacker novice within seconds using one of the default password databases that can be found in the internet (look for yourself by entering “default password database” as Google query).
If you are still using the routers default password change it immediately. In case that you are not familiar with the creation of good passwords I strongly recommend that you read this article from Microsoft.
Apply security patches to your network router as soon as they become available. Based on the fact that router based phishing attacks often come in bulk I strongly recommend that you write down your firmware version along with your DNS router settings to a personal emergency response file (after each planned firmware update). Be aware that regular comparisons between your documented firmware version and the currently shown firmware version might be the only way to detect this kind of attack on your own.
The hackers that run
pharming scams often rely on you ignoring warning signs, but if you’re
carefully, you can keep your money safe.