Part 1, Hikvision Senior Director of Cybersecurity on Pharming—A Malicious Hacking Attack
Hikvision senior director of cybersecurity, Chuck Davis, has covered a wide-range of cybersecurity topics in recent HikWire blogs, including “Hikvision’s Work from Home Cyber Series: 3 Tips for Working Securely During COVID-19.”
In today’s blog, Hikvision’s Davis will provide an overview of pharming, a malicious hacking attack.
What is Pharming?
Pharming is a type of cyberattack that redirects a website’s traffic to a malicious site that appears to be the real site. Pharming is used frequently in phishing attacks to trick a victim into sharing login credentials, banking information, or other sensitive data with the attacker.
Attackers often leverage doppelgänger domains to trick victims by using a visually similar domain name. In one example Shark Tank TV celebrity Barbara Corcoran was almost scammed out of $400,000 using this method in a Business Email Compromise (BEC) scam. The attacker sent an email from an email address using @barbaracorcran.com instead of the real @barbaracorcoran.com address.
Pharming is similar to a doppelgänger domain attack, but more effective and much more difficult to execute. It is more effective because a victim who visits the malicious website can see the valid domain name in their browser. It’s much more difficult to execute because the attacker must trick the victim’s computer into going to the malicious website by either making changes to the victim’s computer or somehow changing the destination IP address for a domain name. That’s typically achieved by altering or “poisoning” the victim’s DNS (domain name system) lookup.
How Does a Pharming Attack Work?
To understand pharming, one must know a little bit about how your computer finds websites on the Internet. When you enter a website address into your browser, such as www.google.com, your computer has to look up the IP address of that site because the Internet infrastructure needs to route traffic to IP addresses since it does not understand an address like www.google.com. We make those domain name addresses so our human minds will remember them more easily.
If you want to know the IP address (or IP addresses) of any website on the Internet, you can use the nslookup command on Windows, MacOS, and Linux. One of the IP addresses for www.google.com is 126.96.36.199. If you type that IP address in your browser, you will get to the Google website.
When you enter an address into your browser, your computer first checks for an IP address in a file on your computer called the hosts file. If it sees an entry in the hosts file for that website, it will go to that IP address. This file is editable by the owner of the computer and is a useful tool if you want to name devices on your network. If you want to try editing your hosts file, here are some instructions.
If your computer does not find an entry for that address in the hosts file, your browser will ask your computer’s default DNS server to look up the IP address of that website. There are DNS servers all over the Internet and unless you specifically changed your DNS servers, you are probably using servers from your Internet Service Provider (ISP). Once the DNS server comes back with an IP address, your browser can make the request to go to 188.8.131.52 and almost instantly, you will see the Google web page. So essentially, a pharming attack happens when an attacker is able to send the wrong IP address to the victim’s computer when it does a lookup.
Now that you know a little bit about how your computer looks up IP addresses, you can see how powerful it could be for an attacker to redirect traffic destined for a valid website, to a malicious website. Unlike the doppelgänger domain attack, with pharming, the victim will see the valid address in their browser when they visit the malicious website.
Check back tomorrow when we’ll discuss examples of pharming so you can identify these cyberattacks and avoid becoming a victim of them.