The cyclical relationship between threat actors and security professionals begins with the creation of a new attack technique, followed by the discovery of that technique by the security community, and then a refashioning of the manner of attack or creation of another novel approach by threat actors.
A few weeks ago, we took our first look into Pharming. We saw some basics about how it can be accomplished and detected. Let’s now take a bit of a deeper dive into the technical aspects that drive it and start talking in more detail about how we can detect and mitigate these types of attacks.
But before we discuss the details of how these attacks work, it is important to understand how a computer obtains an IP address (which is used to actually initiate a connection to a website) from the domain within a URL (such as https://login.mybank.com/online/login.html). When a Web user attempts to navigate to a site, their computer can determine an IP address by either consulting a local file of defined mappings, called a hosts file, or by consulting a DNS server on the internet.
Pharming is a type of cyber-attack that hijacks a legitimate website’s traffic and instead directs it to a malicious web server. In many respects, pharming is similar to phishing in that it presents a victim with a page that appears to be 100% legitimate and trusted. But unlike phishing attacks, pharming attacks don’t rely on tricking a user into clicking on a malicious URL. Instead, the user navigates to the proper URL for a website (perhaps even by using the same bookmark as yesterday) and is directed to a bogus server hosted by the attacker. A page is presented that steals the user’s information – at least their account credentials – and is often not detected by a victim until information has already been compromised.