Pharming: What Is It And How Does It Work?

Posted on June 7, 2011 | Leave a Comment

Pharming is a technique used by identity thieves to “invisibly” redirect you to websites under their control to steal your account details.

What this means is that when you tell your browser to go to your bank, it invisibly directs you to a website that looks exactly like your bank/ And when you type in your login details, you just handed them over to the fraudster.

The insidious part in all this is that you think you are on the right web site because you typed the url directly into the browser or used your bookmarks to go directly to the site. And the web page that is displayed looks correct.

Before we get into how to verify that you are in the right place, let’s take a look at how pharming works.

It all starts with you loading a piece of malware onto your computer. This is not something you deliberately choose to do but it can happen by clicking on an attachment in your email or by clicking a link on a website or downloading some really neat sounding game from a website and installing it on your computer.

So in essence, you handed over the keys to the kingdom by unwittingly accepting this malware installation on your computer. (Hint: A good, up to date virus scanner will help prevent this.)

Once this malware is installed, it sits quietly and invisibly in the background listening to all your web communications.

When it detects that you entered a website of interest into your browser, it intercepts the communication and replaces it with its own communication. This communication directs your browser to display its cloned version of the website.

You, the unsuspecting user, see what you expect and proceed to log in as usual. Your login will generally produce some sort of failure message.

An example would be “Sorry we are doing maintenance on the site. Please try back later.” This is a reasonable message – one that we have all seen at one time or another when accessing one of our financial accounts.

But the truly sophisticated identity thief would have written the malware in such a way that once it captured your login details, it would temporarily disable itself and redirect you to the correct site… either actually logging you in or more likely directing you to a login fail page… again something we all have seen many times.

This second method is by far the trickiest one as you only have a very small window to realize that your details have been stolen.

So now that you know how pharming works from a layperson’s perspective, what are some ways to detect this invisible malicious program.

The first way is to take a careful look at the url displayed on the login page. It is correct? And is it marked as a secure page?

The second was is to see if auto complete is working – if you have it enabled on your browser. Auto complete will automatically recognize your username when you type in the first few letters of your username and display the full username before you finish typing it. So if you have auto complete enabled, and it doesn’t seem to be working, this would be a good time to carefully examine your url to be sure you are on the right place.

If you get a piece of malware on your computer, you need to remove it as it will cause you all sorts of grief and potentially financial loss.

The best way to do this is to get and keep a good virus scanning program running on your computer. And if you think you are infected, use it to run a full scan of all your files. It will take a while but it should capture and destroy that malicious software program.

And if you haven’t done so already, configure your virus scanner to scan all incoming emails and web pages to help protect you from future infection.