DNS Pharming is a type of DNS attack where users are automatically redirected to a fake version of a website which often looks identical to that of the real website in order to steal personal information such as login credentials, email addresses and credit card details.
This type of attack is typically due to a compromise on a individual local device by infecting their hosts file or the entire local network by altering the DNS servers to one under the control of an attacker on the router used to connect to the internet.
While detecting changes to the hosts file can be easy, often malware which has compromised this file will also add manipulated entries to common anti-virus software websites to make it hard for users to remove.
DNS Pharming primarily affects end-users but can also affect website owners.
Users - Users are affected by DNS Pharming as they have had their local device or network infected with malware in order to trick them into viewing a fake version of a website. This may lead to them having their accounts compromised on any website including their bank, as well as potentially having other information stolen that they may enter like their personal address or credit card details.
Website Owners - While website owners are not directly affected as their websites have not been compromised, if users were to be tricked into entering their login details into a fake website, then the attackers could potentially use this to gain access to the real website using the stolen usernames and passwords. If for example the website had saved payment details, then the attacker could place an order and have it shipped elsewhere which once discovered could result in chargebacks and customer support overhead.
DNS Pharming can be done in a few different ways - some methods only affect a single device while others result in the entire local network being compromised. Below are some of the ways which DNS Pharming can be performed.
Compromised Hosts File - Devices including laptops and PC's running any operating system including Windows and Mac OS have what is known as a hosts file. This file is the first point of call before doing a DNS lookup when visiting a website. If this file becomes compromised by malware, or even a physical attacker with access to your device then it can be made so that when visiting certain websites that the request is sent to a fake version rather than the real one.
Changing a hosts file is as simple as adding a single line to a text file overriding the IP address for the website.
example.com 192.168.2.1
Compromised DNS Server Settings - Much like a compromised hosts file, compromised device network configuration settings can be changed by either malware or someone with physical access to your device. An attacker changes the network configuration to have the DNS server set to a server under their control, rather than pointing to the local router or a trusted DNS resolver like one issued by their ISP or a Global DNS Server like Google or Cloudflare.
Compromised Router - Similar to an individual device having its network configuration compromised, network routers can also be modified to have DNS lookup requests sent to a DNS server under the attacker's control. In some cases, a custom firmware may be running on the router which makes it appear like the DNS servers being used are configured to be using a trusted source, but the actual requests are being sent to a server under the attacker's control which can make detecting this type of attack more difficult.
Checking your devices hosts file and network configuration as well as your routers settings for unauthorized changes is a good first step to determine if you may be the victim of a DNS Pharming attack.
DNS Pharming can in some cases be difficult to detect, but common signs are that when you visit a website which you use and are presented with a page which contains strange formatting errors or spelling mistakes then it may be possible that this is the result of a DNS Pharming attack. Having said that, there are many attackers who do a very good job of imitating the real website so just because something looks right it does not mean that it is.
Another common thing to look for is that if a website you normally visit uses HTTPS and is being displayed using HTTP then it is also possible that this is the result of DNS Pharming. Additionally, if you do visit a website on HTTPS and are presented with an invalid certificate warning that this may also be an indicator of DNS Pharming.