Pharming: Another Dangerous Form of Spoofing

SecurityTip: Be cautious online and check before you click! Conduct business from secure and trusted online sites only.

Pharming (pronounced “farming”) is another name for domain spoofing, and makes identity theft even easier than before.  According to Robert Vamosi, Senior Editor, CNET Reviews (February 18, 2005,, “Rather than spamming you with e-mail requests, pharmers work quietly in the background, ´poisoning´ your local DNS server by redirecting your Web request somewhere else. As far as your browser's concerned, you're connected to the right site. The danger here is that you no longer have to click an e-mail link to hand over your personal information to identity thieves.”

Note: DNS stands for Domain Name System, which translates Internet domain names into IP addresses.

Definition of “Pharming”

“Pharming is the exploitation of a vulnerability in the DNS server software that allows a hacker to acquire the Domain Name for a site, and to redirect traffic to that web site [from] to another web site. DNS servers are the machines responsible for resolving internet names into their real addresses - the “signposts” of the [I]internet. If the web site receiving the traffic is a fake web site, such as a copy of a bank's Web site, it can be used to “phish” or steal a computer user's passwords, PIN number or account number.”

Be Cautious Online

If you must conduct business online, the following tips should help in determining a legitimate Web site. However, always be alert to the risks of providing personal information online.

  • Be cautious of any site dealing with financial transactions, especially ones that do not authenticate the user. If a site does not require a login, it may likely be a pharmed (fake) site.
  • When at a Web site that requires a login, test it out by entering your correct user ID and a bogus (phony) password. A legitimate site will reject your login attempt and prevent you from entering the site because your user ID does not match your actual password. A pharmed site will most likely accept the phony password. But, just in case the crooks are on to this test and ask you to re-enter your password, re-enter the bogus one again. If you are rejected twice, this is most likely a legitimate Web site.
  • Only conduct business on “secure” https sites. (See secure Web site description below.) When accessing a secure Web site, depending on how your computer is configured, you will receive a security alert (see Figure 1).

    Security Alert pop up that shows when you view pages over a secure connection
    Figure 1: Security Alert

Security Certificates

Pharming sites sometimes use self-signed certificates that give users a false sense of security. If the security certificate does not come from a recognized trusted certificate authority, such as Verisign, Entrust, etc., you will see another security alert (see Figure 2) telling you that you have not yet chosen to trust the security certificate on the secure Web site you are trying to access. This alert means that this Web site may be suspect. In such Security Alert dialog boxes, you can select the View Certificate button, and if the certificate name does not match the online company you are trying to access, the certificate is unknown or unverified -- a sign that this may be a pharmed Web site!

Security Alert about the security certificate on a Web site
Figure 2. Security Certificate Warning

What Is a Secure Web Site?

According to Webopedia:

“An SSL is “short for Secure Sockets Layer,” a protocol developed by Netscape for transmitting private documents via the Internet. SSL works by using a private key to encrypt data that's transferred over the SSL connection. Both Netscape Navigator and Internet Explorer support SSL, and many Web sites use the protocol to obtain confidential user information, such as credit card numbers. By convention, URLs that require an SSL connection start with https:// instead of http://. Another protocol for transmitting data securely over the World Wide Web is Secure HTTP (S-HTTP). Whereas SSL creates a secure connection between a client and a server, over which any amount of data can be sent securely, S-HTTP is designed to transmit individual messages securely.”

The SSL certificate, once “applied” to your web site, allows the web server and the web browser to encrypt the data that's transmitted between them. When visited, a secure Web site automatically downloads its SSL certificate (produced when a site is secured using SSL technology), and most browsers will display a padlock icon in the locked position on the status bar (see Figure 3). The locked padlock lets users know they are transmitting data through a secure connection.

closed padlock
Figure 3. Closed Padlock

For more information on pharming and other threats, check and other security related Web sites.