Reset

Part 1, Hikvision Senior Director of Cybersecurity on Pharming—A Malicious Hacking Attack

July 28, 2020

Hikvision HikWire blog article Chuck Davis pharming cybersecurity

Hikvision senior director of cybersecurity, Chuck Davis, has covered a wide-range of cybersecurity topics in recent HikWire blogs, including “Hikvision’s Work from Home Cyber Series: 3 Tips for Working Securely During COVID-19.”

In today’s blog, Hikvision’s Davis will provide an overview of pharming, a malicious hacking attack.

What is Pharming?
Pharming is a type of cyberattack that redirects a website’s traffic to a malicious site that appears to be the real site. Pharming is used frequently in phishing attacks to trick a victim into sharing login credentials, banking information, or other sensitive data with the attacker.

Attackers often leverage doppelgänger domains to trick victims by using a visually similar domain name. In one example Shark Tank TV celebrity Barbara Corcoran was almost scammed out of $400,000 using this method in a Business Email Compromise (BEC) scam. The attacker sent an email from an email address using @barbaracorcran.com instead of the real @barbaracorcoran.com address.

Pharming is similar to a doppelgänger domain attack, but more effective and much more difficult to execute. It is more effective because a victim who visits the malicious website can see the valid domain name in their browser. It’s much more difficult to execute because the attacker must trick the victim’s computer into going to the malicious website by either making changes to the victim’s computer or somehow changing the destination IP address for a domain name. That’s typically achieved by altering or “poisoning” the victim’s DNS (domain name system) lookup.

How Does a Pharming Attack Work?
To understand pharming, one must know a little bit about how your computer finds websites on the Internet. When you enter a website address into your browser, such as www.google.com, your computer has to look up the IP address of that site because the Internet infrastructure needs to route traffic to IP addresses since it does not understand an address like www.google.com. We make those domain name addresses so our human minds will remember them more easily.

If you want to know the IP address (or IP addresses) of any website on the Internet, you can use the nslookup command on Windows, MacOS, and Linux. One of the IP addresses for www.google.com is 172.217.11.228. If you type that IP address in your browser, you will get to the Google website.

When you enter an address into your browser, your computer first checks for an IP address in a file on your computer called the hosts file. If it sees an entry in the hosts file for that website, it will go to that IP address. This file is editable by the owner of the computer and is a useful tool if you want to name devices on your network. If you want to try editing your hosts file, here are some instructions.

If your computer does not find an entry for that address in the hosts file, your browser will ask your computer’s default DNS server to look up the IP address of that website. There are DNS servers all over the Internet and unless you specifically changed your DNS servers, you are probably using servers from your Internet Service Provider (ISP). Once the DNS server comes back with an IP address, your browser can make the request to go to 172.217.11.228 and almost instantly, you will see the Google web page. So essentially, a pharming attack happens when an attacker is able to send the wrong IP address to the victim’s computer when it does a lookup.

Now that you know a little bit about how your computer looks up IP addresses, you can see how powerful it could be for an attacker to redirect traffic destined for a valid website, to a malicious website. Unlike the doppelgänger domain attack, with pharming, the victim will see the valid address in their browser when they visit the malicious website.

Check back tomorrow when we’ll discuss examples of pharming so you can identify these cyberattacks and avoid becoming a victim of them.

IMPORTANT! This model requires non-standard firmware. Do Not Install standard firmware (e.g. v.4.1.xx) on this model. Doing so will permanently damage your system. You must use custom firmware v.4.1.25 from the iDS-9632NXI-I8/16S product page.

By downloading and using software and other materials available via this website, you agree to be legally bound by HIKVISION General Terms of Use . If you don’t agree to these terms, you may not download or use any of those materials.

If you are agreeing on behalf of your company, you represent and warrant that you have legal authority to bind your company to the General Terms of Use above. Also you represent and warrant that you are of the legal age of majority in the jurisdiction in which you reside (at least 18 years of age in many countries).