:"For pharming in
genetics, see pharming (genetics)." "For pharming in drug abuse, see pharming parties."
Pharming (pronounced farming) is a hacker's attack aiming to redirect a
website's traffic to another, bogus website. Pharming can be conducted either by changing the hosts fileon a victim’s computer or by exploitation of a vulnerabilityin DNS server software. DNS servers are computers responsible for resolving Internet names into their real addresses — they are the "signposts" of the Internet. Compromised DNS servers are sometimes referred to as "poisoned". The term pharming is a word play on farming and phishing. The term phishingrefers to social engineering attacks to obtain access credentials such as user names and passwords. In recent years both pharming and phishing have been used to steal identity information. Pharming has become of major concern to businesses hosting ecommerceand online bankingwebsites. Sophisticated measures known as anti-pharmingare required to protect against this serious threat. Antivirus softwareand spyware removal softwarecannot protect against pharming.
Pharming vulnerability at home
While malicious domain name resolution can result from compromises in the large numbers of trusted nodes that participate in a name lookup, the most vulnerable points of compromise are near the leaves of the internet. For instance, incorrect entries in a desktop computer's "
Hosts file", which circumvents name lookup with its own local name to IP address mapping, is a popular target for malware. Once rewritten, a legitimate request for a sensitive website can direct the user to a fraudulent copy. Desktops are often better targets for pharming because they receive poorer administration than most internet servers.
More worrisome than host file attacks is the compromise of a local
network router. [cite news
title=Can You Trust a Wireless Router?
date=February 24, 2006
publisher=Indiana University Bloomington] Since most routers specify a trusted DNS to clients as they join the network, misinformation here will spoil lookups for the entire LAN. Unlike host file rewrites, local router compromise is difficult to detect. Routers can pass bad DNS information in two ways: malconfiguration of existing settings or wholesale rewrite of
date=December 13, 2006
publisher=Indiana University Bloomington]
Alternatively, many routers have the ability to replace their firmware (i.e. the internal software that executes the device's more complex services). Like malware on desktop systems, a firmware replacement can be very difficult to detect. A stealthy implementation will appear to behave the same as the manufacturer's firmware; the administration page will look the same, settings will appear correct, etc. Pharming is only one of many attacks that malicious firmware can mount; others include eavesdropping, active
man in the middle attacks, and traffic logging. Like misconfiguration, the entire LAN is subject to these actions.
By themselves, these pharming approaches have only academic interest. However, the ubiquity of consumer grade
wireless routers present a massive vulnerability. Administrative access is available wirelessly on most of these devices. Moreover, since these routers often work with their default settings, administrative passwords are commonly unchanged. Even when altered, many are guessed quickly through dictionary attacks, since most consumer grade routers don't introduce timing penalties for incorrect login attempts. Once administrative access is granted, all of the router's settings including the firmware itself may be altered. These factors conspire to make drive-by router compromise a clear and present threat. These attacks are difficult to trace because they occur outside the home or small office "and" outside the internet.
Instances of pharming
In January 2008,
Symantecreported a drive-by pharming incident directed against a Mexican bank in which the DNS settings on a customer's home router was changed after receipt of an e-mail that appeared to be from a legitimate Spanish-language greeting card company. [cite news
title=First case of "drive-by pharming" identified in the wild
date=January 22, 2008
Controversy over the use of the term
The term "pharming" is controversial within the field. At a conference organized by the
Anti-Phishing Working Group, Phillip Hallam-Bakerdenounced the term as "a marketing neologismdesigned to convince banks to buy a new set of security services."
DNS cache poisoning
* cite news | url=http://www.windowsitpro.com/Article/ArticleID/46789/46789.html?Ad=1
title=Security: Phishing and Pharming
date=June 22, 2005
publisher=Windows IT Pro Magazine
* cite news | url=http://www.csoonline.com/talkback/071905.html
title=How Can We Stop Phishing and Pharming Scams?
date=July 20, 2005
* [http://www.trusteer.com/docs/bind9dns.html BIND 9 DNS Cache Poisoning (DNS Pharming Attack)] - Discovered by Amit Klein (Trusteer)
* [http://www.digitalstakeout.com DigitalStakeout: Anti-Pharming Service Provider]
* [http://www.ngssoftware.com/papers/ThePharmingGuide.pdf "The Pharming Guide" by Gunter Ollmann]
* [http://reviews.zdnet.co.uk/software/internet/0,39024165,39188617,00.htm ZD Net Article "Alarm over "Pharming" Attacks]
* [http://www.wired.com/news/infostructure/0,1377,66853,00.html Wired News: Pharming Out-Scams Phishing]
* [http://www.networkworld.com/columnists/2005/062705edit.html Network World Article on New Anti-Pharming Technology]
* [http://www.eweek.com/article2/0,1759,1791152,00.asp eWeek article on the Hushmail.com DNS pharming attack]
* [http://www.pharming.org pharming.org: Describes current state of the art in solutions to the pharming problem, and also has a list of sites that are and are not Pharming Conscious (PhC)]
* [http://www.csoonline.com/read/100105/pharm.html After Phishing? Pharming!]
* [http://www.safetyoninternet.com Safety on Internet]
Wikimedia Foundation. 2010.