How does pharming work?

The attacker compromises a DNS server or infects a victim's computer to modify DNS resolution When the victim enters a legitimate URL (e.g., "yourbank.com"), the corrupted DNS sends them to a fake server The fake website looks identical to the real one, and the URL appears correct The victim enters their credentials, which are captured by the attacker The user may be redirected to the real site afterward, making the attack invisible

How do I protect myself from pharming?

Look for HTTPS and verify the SSL certificate before entering credentials Use a reputable DNS provider with security features (Cloudflare 1.1.1.1, Google 8.8.8.8) Keep your router firmware updated to prevent DNS hijacking Use a password manager that verifies the domain before auto-filling credentials Use IsThisAScam to check any URL you're unsure about

Home/Glossary/Pharming

Glossary · Attack Vector

What Is Pharming?

A cyberattack that redirects traffic from a legitimate website to a fraudulent one without the user's knowledge, typically by manipulating DNS settings or corrupting the host file on a victim's computer.

Quick Definition

Think you've been targeted?

Paste the suspicious content here for an instant analysis.

No signup · 6 detection layers · Results in seconds · Cmd+Enter

01Pharming explained.

Pharming is a portmanteau of "phishing" and "farming." While phishing requires the victim to click a malicious link, pharming is more insidious — it redirects users to fake websites even when they type the correct URL. The "farming" metaphor refers to the attacker maintaining a "farm" of fake websites.

There are two main types. Local pharming modifies the hosts file on a victim's computer to redirect specific domains. DNS pharming attacks the DNS server itself, affecting all users who rely on that server for domain name resolution.

Pharming is particularly dangerous because there's no suspicious link for the user to notice. They type the correct web address, their browser shows the correct URL in the address bar, but they're actually on a different server entirely.

02How it works.

01The attacker compromises a DNS server or infects a victim's computer to modify DNS resolution

02When the victim enters a legitimate URL (e.g., "yourbank.com"), the corrupted DNS sends them to a fake server

03The fake website looks identical to the real one, and the URL appears correct

04The victim enters their credentials, which are captured by the attacker

05The user may be redirected to the real site afterward, making the attack invisible

03Real-world example.

In 2017, a pharming attack targeted users of a major Brazilian bank by compromising the bank's DNS records. For about 5 hours, all visitors to the bank's website — including online banking customers — were redirected to a perfect replica that harvested their credentials.

04How to protect yourself.

01Look for HTTPS and verify the SSL certificate before entering credentials

02Use a reputable DNS provider with security features (Cloudflare 1.1.1.1, Google 8.8.8.8)

03Keep your router firmware updated to prevent DNS hijacking

04Use a password manager that verifies the domain before auto-filling credentials

05Use IsThisAScam to check any URL you're unsure about

Explore Scam Types

phishing romance crypto investment tech support delivery

Suspect Something?

Run a scan on the message you received.

Run a scan →