Pharming is a deceptive cyberattack that can redirect users to fraudulent websites even when they type the correct address. It happens silently, which makes it difficult to notice and easy to underestimate. Understanding what pharming is helps explain why a legitimate-looking website is not always the safe destination it appears to be.
Key Takeaways
- Pharming redirects users to fraudulent websites through technical manipulation of DNS infrastructure or local device settings, requiring no action from the victim.
- The attack can happen through local malware, poisoned DNS data, compromised DNS providers, or altered router settings.
- Antivirus software can only defend against malware-based pharming; DNS server-level attacks bypass the victim's device entirely and require infrastructure-level protections like DNSSEC.
- The threat has been serious enough to prompt U.S. government guidance focused on DNS infrastructure tampering.
What Is Pharming?
Pharming is a cyberattack that redirects users from legitimate websites to fraudulent copies without their knowledge, typically by corrupting the Domain Name System (DNS) or tampering with a device's local network settings.
The term combines "phishing" and "farming," reflecting how attackers harvest credentials and personal data at scale. Unlike phishing attacks, which rely on deceptive messages to lure victims, pharming uses technical means to reroute traffic silently. Users who type the correct web address and follow proper security habits can still land on a fake site, and this quality makes the attack particularly difficult to detect.
How Pharming Works
Pharming works by corrupting the process that connects a typed web address to the correct destination. It exploits the Domain Name System (DNS), the infrastructure that translates human-readable website names into the numerical IP addresses computers use to locate servers.
Every time you enter a URL like "www yourbank com" into a browser, your device sends a request to a DNS resolver, which looks up the corresponding IP address and directs your connection to the right server. Pharming attacks intercept or corrupt this translation process, substituting a malicious IP address for the legitimate one. Your browser displays the correct URL, but the connection routes to an attacker-controlled server hosting a pixel-perfect replica of the real site. When you enter your username, password, or payment details, that information goes directly to the attacker.
The attack can target different points in the DNS resolution chain, from individual devices to service providers and organizations that manage DNS records. This range of entry points is what gives pharming its variety and makes a single defensive measure insufficient.
Modifying the Local Hosts File Through Malware
The most targeted form of pharming compromises a single device. Every operating system maintains a hosts file, a local directory that maps domain names to IP addresses before the device ever contacts an external DNS server. Pharming malware, sometimes called a DNS changer, quietly edits this file after arriving through a malicious email attachment, trojanized download, or drive-by browser exploit.
Once installed, the malware redirects specific domains to attacker-controlled IP addresses whenever the victim types those URLs. The changes persist even after the browser is closed and, in many cases, survive a system reboot. Because the compromise happens on the device itself, the victim's internet service provider and DNS resolver remain completely unaware.
Poisoning DNS Server Caches
DNS cache poisoning targets the shared infrastructure that serves many users at once. DNS resolvers store, or "cache," recent lookup results so they do not have to query authoritative servers for every request. Attackers inject false IP mappings into a resolver's cache, and the poisoned data persists for the duration of the entry's Time-To-Live (TTL) value.
During that window, every user who queries the compromised resolver for the targeted domain receives the attacker's IP address instead of the legitimate one. The victim's own device can be completely clean of malware and still be affected, because the corruption sits upstream in the DNS infrastructure.
Hijacking Domain Registrars or DNS Providers
The most damaging pharming attacks bypass both the user's device and their DNS resolver by compromising the organizations that manage DNS records directly. Domain registrars and DNS hosting providers control the authoritative records that tell the internet where to find a given website. When attackers gain access to these systems, they can rewrite records at the source, redirecting traffic for a domain regardless of which DNS resolver a visitor uses.
This vector requires more sophistication but produces the widest blast radius. Attackers have used stolen credentials, spear-phishing against registrar employees, and exploitation of web application vulnerabilities to gain access. Because the changes happen at the authoritative level, no malware needs to exist on the victim's device for the redirect to occur.
Reconfiguring Home Routers
A fourth vector targets home and small office routers. Many consumer routers ship with default administrative credentials that owners never change. Attackers who gain access, either through the default password or by exploiting firmware vulnerabilities, modify the router's DNS settings to point to a malicious resolver. Every device on that network then uses the compromised DNS server for all lookups, and any domain can be redirected to a fraudulent site without touching a single endpoint.
This approach blends elements of endpoint and infrastructure attacks. The individual devices on the network remain malware-free, but their DNS queries are silently rerouted at the network edge. Detection is particularly difficult because standard endpoint security tools do not monitor router DNS configurations. Firmware updates and password changes can resolve the issue, but many users never check their router's settings, which allows the redirection to persist.
Pharming vs. Phishing: Why the Distinction Matters
Pharming and phishing differ mainly in how victims reach the fake site: pharming changes where traffic goes, while phishing tries to persuade the victim to go there. Phishing relies on social engineering: a deceptive email, text message, or voice call tricks the recipient into clicking a malicious link or opening a harmful attachment. The victim must take an action based on a fraudulent communication.
Pharming, by contrast, uses technical manipulation of DNS or device settings to redirect traffic automatically. Security professionals sometimes call it "phishing without a lure" because the trap is already set before the victim opens a browser.
| Dimension | Pharming | Phishing |
|---|---|---|
| Attack Layer | DNS infrastructure or device settings | Deceptive communication (email, SMS, voice) |
| Victim Action Required | None; correct URL still leads to fake site | Must click a link, open an attachment, or reply |
| Detection by User | Extremely difficult; URL appears correct | Possible through message inspection |
| Scale per Attack | Can affect all users of a DNS server or registrar | Typically targets individuals or groups |
| Attacker Skill Level | Higher; requires DNS or network knowledge | Lower; social engineering templates are widely available |
| Primary Defense Category | Network and infrastructure controls | User awareness and email security |
Warning Signs of Pharming
Pharming warning signs usually appear as certificate anomalies, login irregularities, or other unexpected behavior on familiar sites. An HTTPS padlock that suddenly disappears on a site that always had one, or a browser warning about an invalid certificate, may indicate that the connection is routing to a server that cannot present the legitimate site's certificate.
Unusual delays during page loading on familiar sites can sometimes reflect the extra routing step through an attacker's infrastructure. Unexpected prompts to re-enter credentials on a site where you are already logged in, or requests for information the real site has never asked for, are also worth questioning.
For organizations, unusual spikes in failed login attempts, unexplained DNS record changes, or employees reporting password resets they did not initiate may point to a compromise and warrant investigation.
Common Misconceptions About Pharming
Common misconceptions about pharming usually confuse it with phishing, overstate what antivirus can do, or assume careful browsing habits are enough to stop it. Several common misconceptions about pharming can make the attack seem simpler, narrower, or easier to stop than it really is.
Pharming and Phishing Are the Same Attack: Both present victims with a fake website, but phishing requires the victim to act on a deceptive communication. Pharming redirects traffic at the infrastructure level regardless of what the user does correctly. They belong to different attack categories: social engineering for phishing, network attacks for pharming.
DNS Spoofing and Pharming Are Interchangeable Terms: DNS spoofing is one technique used to achieve pharming, but pharming can also be accomplished through hosts file modification, registrar compromise, or router reconfiguration. Conversely, DNS spoofing can be used for purposes unrelated to pharming, such as traffic analysis or censorship.
Antivirus Software Protects Against All Forms of Pharming: Antivirus tools may detect malware that modifies local hosts files, but they provide no defense against DNS server-level pharming, where the compromise exists entirely upstream of the victim's device. A user with a completely clean computer can still be redirected if their DNS resolver or registrar is compromised.
Typing the URL Manually Prevents Pharming: This precaution helps against phishing, but users often assume the same habit protects them from pharming. It does not. In pharming, the misdirection happens after the browser sends its DNS query, so manually entering the correct address offers no protection.
How to Protect Against Pharming Attacks
Protecting against pharming attacks requires layered defenses because the redirect can happen on the device, on the network, or inside DNS infrastructure. For individuals, a few practical steps can reduce exposure. Using a reputable DNS resolver that supports DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) encrypts DNS traffic between your device and the resolver, making it harder for attackers to intercept or redirect queries.
Keeping router firmware updated and replacing default administrative passwords closes one of the most common pharming entry points. Verifying that HTTPS is active and the certificate is valid before entering credentials provides a useful, though imperfect, check. MFA limits the damage even if credentials are captured, since a stolen password alone cannot complete the login.
According to the FBI IC3 report, phishing and spoofing, the combined category that includes pharming, generated 193,407 complaints and over $70 million in reported losses in 2024 alone.
For organizations, the most effective infrastructure-level defense is DNSSEC, which adds digital signatures to DNS data so that forged responses can be detected and rejected. CISA's guidance recommends auditing DNS records for unauthorized changes, changing DNS account passwords, adding MFA to DNS management accounts, and monitoring Certificate Transparency logs.
The Attack You Cannot See Is the One Worth Preparing For
Pharming stands apart from most cyberattacks because it can punish users who appear to do everything right. When the threat sits in the DNS layer between a browser and a server, defenses also need to account for that layer through verified DNS responses, encrypted queries, and strong registrar account controls. Understanding where the redirection happens makes the risk easier to recognize and the right protections easier to prioritize.
Frequently Asked Questions
Can Antivirus Software Prevent Pharming?
Only partially. Antivirus tools can detect and remove malware that modifies a device's local hosts file. However, when the attack occurs at the DNS server or registrar level, the victim's device is never infected with anything. The compromise exists entirely in the internet's routing infrastructure, which antivirus software cannot monitor or control. Protecting against server-level pharming requires infrastructure defenses like DNSSEC and encrypted DNS resolvers.
Why Is Pharming Called "Phishing Without a Lure"?
Traditional phishing requires a lure, typically a deceptive email or message, to convince the victim to visit a fake website. Pharming removes that step entirely. The victim types a correct URL or uses a bookmark, and DNS manipulation routes them to a fake copy silently. The "lure" is replaced by a redirect that the victim has no reason to question.
What Is the Difference Between Pharming and DNS Hijacking?
DNS hijacking is one of several techniques attackers use to accomplish pharming. It refers specifically to gaining unauthorized access to a DNS server, registrar, or provider account and changing the records so that a domain resolves to an attacker-controlled IP. Pharming is the broader attack goal of redirecting users to fraudulent websites, which can also be achieved through local malware, DNS cache poisoning, or router reconfiguration.
How Can Router Reconfiguration Lead to Pharming?
Router-focused pharming targets home or small office routers rather than individual devices or DNS servers. Attackers access the router's administrative panel, often using default credentials that were never changed, and modify its DNS settings to point to a malicious resolver that can redirect any domain to a fraudulent site. The individual devices remain malware-free, and this variant is especially hard to detect without checking the router's configuration directly.
How Does Pharming Affect Mobile Devices?
Pharming can affect devices that use DNS to resolve website addresses, including smartphones and tablets, because infrastructure-level DNS manipulation operates outside the device itself. Malware-based pharming is less common than server-level or router-level vectors in this article's broader framework, but mobile devices remain vulnerable to DNS infrastructure attacks because those attacks operate outside the device itself.
