What is Pharming? 3 Examples You Need to Know

By Tibor Moes / Updated: July 2023

What is Pharming? 3 Examples You Need to Know

What is Pharming?

Imagine this scenario. You have a piece of software installed on your computer that you’ve been using for years. Occasionally, that software directs you to a webpage where you enter personal details. That’s all legitimate and allows you to keep using the software.

One day, you get another of those requests. So, you follow the instructions and send the details requested. But you start noticing issues over the next few days. Maybe charges are made to your credit cards that you didn’t authorize or you notice your social media accounts are sending friend requests you didn’t make.

You’ve just become a victim of pharming. In this article, we explain what that is and share some examples of major pharming attacks.


  • Pharming, a type of cybercrime, redirects website visitors to fraudulent sites without their knowledge, usually by exploiting DNS servers or modifying a user’s host file, with the intent to harvest personal data like passwords and credit card numbers.

  • It differs from phishing by being indiscriminate and automated, posing a larger-scale threat. Users might not notice they’re on a fraudulent site, as it looks identical to the genuine one, hence maintaining their usual online behavior, which puts their data at risk.

  • To mitigate pharming threats, one should secure their network, regularly update software, use reliable antivirus programs, and implement secure protocols like HTTPS. Always verify website URLs and use two-factor authentication where possible.

Don’t become a victim of cybercrime. Protect your devices with the best antivirus software and your privacy with the best VPN service.

What is Pharming? – In-depth 

Pharming scams are a type of cyberattack that allows hackers to redirect internet users to fake websites. These suspicious sites are often carbon copies of the legitimate sites that you normally use. The hacker aims to convince users they’re on a legitimate website by mimicking a real site. Often, the only indication that you’re on a fraudulent website comes from the web address or domain names being different from what they should be.

Once they have you on their malicious site, a hacker will prompt you to enter sensitive information. Commonly, this involves asking for your login credentials. Once you enter the details, the website may flash an error message to tell you that the login wasn’t successful. So, you go about your day.

Unfortunately, that “failed” login was a success on the hacker’s side. They now have the details you entered, allowing them to engage in fraudulent activity, such as identity theft and online fraud.

Pharmers usually target websites that gather sensitive personal and financial information, such as those operated by banks and online payment platforms.

How Does Pharming Work?

To understand how pharming works, you first need a basic understanding of how website browsers work.

When you open a web browser, such as Google Chrome or Microsoft Edge, your first step is to enter a web address. However, these domain names aren’t what allows for a direct connection. Instead, a Domain Name System (DNS) server has to convert the domain name into an IP address to enable the connection.

It’s this conversion process that hackers exploit in pharming attacks. There are two types of attacks a criminal may use to take advantage of this process:

  • Malware-Based Pharming

  • DNS Poisoning

Malware-Based Farming

The first step of malware-based pharming involves a hacker finding some way to get malicious software onto your computer. This software is usually a virus, trojan horse, or a similar type of pharming malware that operates in the background and presents no visible signs of its presence on the victim’s computer. Pharmers often use phishing to accomplish this by sending code via an email that you click on.

Once the pharming malware is in place, its code changes your computer’s host files to direct you away from legitimate websites. Instead, attempts to access a real site send you to one of the hacker’s malicious sites. This happens even if you type the correct domain name into your web browser.

DNS Poisoning

DNS servers cooperate with each other by maintaining lists of websites with their corresponding IP addresses attached. These lists are kept on servers and called DNS tables.

With DNS server poisoning, a hacker gains access to a server’s DNS table and changes the IP addresses associated with various domain names. The result is that any user who types in the domain name is redirected to a pharming website. Criminals may use these sites to install malware and viruses onto the victim’s computer, resulting in the theft of personal or financial information.

The Signs of a Pharming Attack and What You Can Do About It

It’s remarkably easy to fall victim to pharming websites. If you don’t pay attention to the website’s domain name, you won’t realize something’s wrong until it’s too late. By that point, a hacker may have access to several of your online accounts.

Still, there are several signs you can look out for that suggest you may be a victim of a pharming site:

  • Posts and messages start appearing on your social media accounts that you didn’t make.

  • The passwords for your online accounts have been changed.

  • New software has appeared on your personal computer or device that you didn’t install.

  • Charges are made to your credit card or online payment accounts that you didn’t make.

  • Your social media accounts start sending out friend and connection requests that you haven’t sent.

If you notice any of these signs, there are a few things you can do that may help solve the issue:

  • Change the passwords for all of your online accounts. It’s also a good idea to set up multi-factor authentication so hackers can’t access the accounts with a password alone.

  • Clear the DNS cache in your device.

  • Run antivirus software to clear malware and viruses from the user’s computer.

  • Contact your internet service provider to discuss the issue.

  • Get in touch with your bank or online account provider to report fraud and follow their procedures for protecting yourself and reinstating access.

Real World Pharming Examples

Pharming is extremely common. The fake sites hackers use for these scams are created at a rate of one every 20 seconds. And some of the most successful of these pharming websites have caused major issues, as the following examples demonstrate.

Example No. 1 – The Venezuelan Volunteer Attack

In 2019, a humanitarian group operating in Venezuela had the idea of creating a new campaign. They would use a website for people to sign up, allowing them to open personal accounts through which they could manage donations and similar activities. The website had a form that requested personal data, including the user’s name, personal ID, home location, and phone number.

Just a few short days after the creation of the legitimate website, a pharmer created a malicious website that mimicked the original site almost exactly. Even scarier, the pharmer was able to create their fake domain using the same IP address as the real website, making it virtually indistinguishable from the real thing.

Of course, the fake site also had the form present on the legitimate website. The result of this scam was that thousands of volunteers had their personal information stolen and potentially used for fraudulent purposes.

Example No. 2 – An Attack That Targeted 50 Banks

Don’t make the mistake of thinking that pharming is a new phenomenon. A scam from 2007 involved hackers using fraudulent websites that targeted financial companies in several countries. All told, at least 50 banks operating out of Europe, North America, and the Asia-Pacific region were targeted in the attack.

The pharming effort took advantage of a security vulnerability in Microsoft’s software. Though Microsoft had identified the issue and created a patch to fix it, many hadn’t installed the patch at the time of the attack. The hackers exploited this vulnerability to lure unsuspecting users to a fake website where they could install a file called “iexplorer.exe.” Once clicked, the link connected the user to Russian servers, which downloaded five extra files onto the victim’s device.

Note the filename used in this attack. It’s easy to confuse that filename for one you’d used to download Internet Explorer, which was one of the most popular web browsers in 2007.

Once the fraudulent files were downloaded, the hackers only had to wait for the user to visit their banking website. After typing the real website address into their browser’s address bar, the user was redirected to a fake website. They entered their login credentials, which the hackers stole, and were then redirected to the legitimate site that the hackers had logged into with the user’s stolen credentials.

The result was an almost invisible attack that lasted for three days and is believed to have infected about 1,000 computers per day.

Example No. 3 – The First Drive-By Pharming

In 2008, the first example of what cybersecurity company Symantec called “drive-by pharming” occurred. This involved hackers managing to change the DNS settings stored on a user’s router or wireless access point to direct them to fake sites.

The first drive-by attack was launched against a Mexican bank and involved the hackers sending an email pretending to come from an e-greeting card company named gusanito.com. That email appeared to contain an HTML image tag, though this was actually a hidden piece of code that sent a request to the user’s router. Once the request was accepted, the hackers were able to tamper with the router’s DNS settings to redirect affected users to their malicious websites.

These websites mimicked those of the bank in question. From there, the attack happened as described elsewhere in this article. Any users who tried to access the bank’s legitimate website were redirected to the fake site, which stole any details they entered.

How to stay safe online:

  • Practice Strong Password Hygiene: Use a unique and complex password for each account. A password manager can help generate and store them. In addition, enable two-factor authentication (2FA) whenever available.
  • Invest in Your Safety: Buying the best antivirus for Windows 11 is key for your online security. A high-quality antivirus like Norton, McAfee, or Bitdefender will safeguard your PC from various online threats, including malware, ransomware, and spyware.
  • Be Wary of Phishing Attempts: Be cautious when receiving suspicious communications that ask for personal information. Legitimate businesses will never ask for sensitive details via email or text. Before clicking on any links, ensure the sender's authenticity.
  • Stay Informed. We cover a wide range of cybersecurity topics on our blog. And there are several credible sources offering threat reports and recommendations, such as NIST, CISA, FBI, ENISA, Symantec, Verizon, Cisco, Crowdstrike, and many more.

Happy surfing!

Frequently Asked Questions

Below are the most frequently asked questions.

What’s the difference between pharming and phishing?

Though pharming and phishing are similar, they use different means to steal a user’s details. In phishing, a criminal sends an email with a web link. The victim clicks this link and enters their personal details, which are then stolen. Pharming doesn’t require this direct means of attack as it usually involves a hacker doing something behind the scenes that a user doesn’t realize is happening.

How can i protect myself against pharming?

You can protect against pharming with vigilance. Don’t open links for sites you don’t recognize and avoid deals that seem too good to be true. Check your address bar for typos and incorrect domain names before entering your details. Also, keep an eye out for suspicious websites.

Where does the name pharming come from

The term pharming is a combination of the words phishing and farming. It involves a hacker trying to “farm” personal details from multiple people using techniques similar to those used on phishing.

Author: Tibor Moes

Author: Tibor Moes

Founder & Chief Editor at SoftwareLab

Tibor has tested 39 antivirus programs and 30 VPN services, and holds a Cybersecurity Graduate Certificate from Stanford University.

He uses Norton to protect his devices, CyberGhost for his privacy, and Dashlane for his passwords.

You can find him on LinkedIn or contact him here.