What Is Pharming: Types, Phishing Differences and Defence

Pharming redirects the user to a fraudulent site without them having to click, by manipulating DNS resolution or the machine's hosts file. The common translation is DNS "poisoning" or redirection. It's a specific variant of Man in the Middle focused on the name resolution phase. Unlike phishing, where the user types the URL correctly but clicks on a malicious link, in pharming the user types mybank.com correctly and still lands on a fake site looking identical to the legitimate one.

This guide explains what pharming specifically is, the four vectors that show up in forensic investigations (local hosts file modification, home router attack, DNS server poisoning, BGP hijacking), how it differs exactly from phishing, documented real cases, how modern defences detect it and what protection measures have real impact in enterprise and home users.

What pharming is

Pharming is an attack that manipulates the DNS name resolution system so the domain the user types or their browser resolves points to an IP controlled by the attacker. As a technique it sits within the broader category of social engineering when combined with pages impersonating the legitimate identity. The term comes from combining "phishing" and "farming": harvesting credentials from many victims with a single infrastructure manipulation effort.

What it gives the attacker compared to traditional phishing:

• Doesn't depend on the user clicking. The victim types the URL correctly, bookmarks it, scans a bank QR. Doesn't matter: DNS takes them to the fake site.
• Scales. A compromise of a DNS server or a router can affect thousands of users simultaneously without sending a single email.
• Persistence. While the manipulation lasts and the victim doesn't check the TLS certificate, the attacker captures everything passing through the fake page.
• Coexistence with the real brand. If the fake page replicates the destination well, the user sees no difference.

What limits the attacker:

• HTTPS and valid TLS certificates are the main barrier: the browser warns if the certificate doesn't match the real domain.
• More expensive than simple phishing: compromising DNS or a router requires more sophistication.
• Fast detection once the first victim appears: banks and antivirus vendors react within hours.

Four main vectors

Almost all pharming in the real world enters through one of these four paths.

1. Manipulation of the victim's hosts file

The operating system checks the hosts file before going out to DNS. On Windows it sits at C:\Windows\System32\drivers\etc\hosts; on macOS and Linux, at /etc/hosts. An entry like:

185.123.45.67  mybank.com
185.123.45.67  www.mybank.com

redirects any resolution of those domains to the attacker's IP.

Typical entry vector: malware running with sufficient privileges to write the file. Trojan families like QakBot variants and modern commercial stealers carry a "hosts edit" module as one of their capabilities.

Home detection: review the hosts file periodically, configure the OS to alert on modifications, modern antivirus that monitors that path.

2. Home or SMB router compromise

Attackers target the DNS configured in the router. If they change it, every device on the network uses the attacker's DNS. Classic vector: exploitation of default router credentials, CSRF vulnerability on the admin web, unpatched firmware exploit.

The DNSChanger case (2007-2012) is the paradigmatic example: a gang redirected DNS on millions of home routers for years before being dismantled by the FBI in cooperation with Europe. Total estimated damage exceeded $14 million.

In Spanish enterprises, the modern equivalent is the attack on poorly maintained SOHO routers in remote offices or in homes of employees connecting to corporate resources.

3. DNS server poisoning

The attacker manipulates the cache of the DNS resolver users trust. Historical techniques (Kaminsky 2008) injected false responses the resolver stored during the configured TTL. A user resolving mybank.com during that window received the attacker's IP.

DNSSEC was designed precisely to stop this vector through cryptographic signing of responses. Its adoption is high in TLDs (.es has been 100% signed for years) but signing each individual zone is still voluntary and many organisations don't apply it. Without DNSSEC, attacks against resolvers remain viable, especially against poorly configured local resolvers.

4. BGP hijacking

The attacker announces from a controlled AS IP prefixes that don't belong to it. Transit BGP routers accept the announcement (typically without cryptographic validation) and start sending traffic to the attacking AS. The recipient sees the correct IP but the traffic arrives at the fake server.

Documented cases: Visa prefix hijack by a Russian operation in 2018, Cloudflare hijacks, several incidents against DNS root routes. RPKI adoption mitigates the problem but coverage is still partial.

Vector barely applicable to a home user, relevant to operators and companies with own connectivity.

Differences with phishing

The confusion between the two terms is common. Key differences:

• Vector of deception. Phishing: the user clicks a malicious link or enters data in a form presented as legitimate. Pharming: the URL is correct but DNS resolution is manipulated.
• Manipulation point. Phishing: the email or the site. Pharming: the DNS infrastructure or the user's machine.
• Attacker effort. Phishing: low, massive, scales easily. Pharming: medium-high, targeted, requires compromising DNS, router or victim machine.
• Main user defence. Phishing: training, don't click, MFA. Pharming: always check HTTPS and certificate, universal MFA, DNSSEC.
• Recipient detection. Phishing: domain different from the real one (myban-k.com). Pharming: correct domain, what fails is the IP.

In practice, the two combine. An attacker sends phishing that delivers a trojan that modifies hosts. The user then arrives at the fake page without additional clicks. That chain covers both terms at once.

Documented real cases

The names that appear most in recent forensic reports.

DNSChanger (2007-2012). Operation by Estonian cybercriminals that redirected DNS on approximately 4 million machines in over 100 countries. Arrested by the FBI in 2011 (Operation Ghost Click). Business model: redirect advertising traffic and manipulate search results. Exposed the dependency of millions of users on unverified DNS.

Brazilian banking sites (2017). A gang compromised 36 Brazilian bank domains through the registrar, modifying nameservers for several hours. During the window, users were redirected to fake sites. Case documented by Kaspersky and Trend Micro.

MikroTik routers (2018). An actor automated DNS redirection on hundreds of thousands of vulnerable MikroTik routers (CVE-2018-14847). Injected CoinHive crypto miner and, in some cases, redirection to fake sites.

KrebsOnSecurity DNS hijack (2017). The security blog suffered a temporary hijack via registrar. Visitors during the incident accessed a site controlled by the attacker. Served as public demonstration that even specialists are vulnerable to pharming at the registrar level.

Attacks on government DNS infrastructure (2019, attributed to state actors). The UK NCSC report and DHS-CISA advisories described a campaign manipulating NS records against government and energy domains in the Middle East and Europe.

How it gets detected

Seven fronts covered by a modern defensive team.

hosts file monitoring. EDR with a rule that alerts on any modification. Sysmon on Windows with rule 11 (FileCreate) over drivers\etc\hosts. Any change outside legitimate system processes is a signal.

Centralised DNS telemetry. SIEM collecting logs from internal DNS and detecting anomalous resolutions: corporate domains resolving to unexpected external IPs, NXDOMAIN spikes, DGA domains. Detail in what is a SIEM.

Periodic router configuration validation. Inventory of SOHO routers in remote offices with verification of firmware, credentials and configured DNS servers. EDR/MDM platforms broaden visibility over remote devices.

DNSSEC on own zones. Signing the company's DNS zone closes the poisoning vector against own domains. The signature gets validated on the final client's resolver if it supports DNSSEC.

RPKI in operator organisations. For companies with their own AS and IP ranges, publishing signed ROAs (Route Origin Authorizations) reduces exposure to BGP hijacking.

DNS threat intelligence. Commercial services (Quad9, Cisco Umbrella, Cloudflare 1.1.1.1 for Families) block resolutions to known malicious domains before the victim connects. Compatible with threat hunting and internal SOC.

Own brand monitoring. Services that alert when a domain similar to the corporate one resolves to suspicious IPs, when a TLS certificate appears for homograph domains or when the company's DNS changes without a change order.

How to protect

The measures that actually close the door, ordered by impact.

• Universal MFA with FIDO2/WebAuthn. Even if the user reaches a fake site and types their password, without the phishing/pharming-resistant second factor the attacker doesn't get in. The most important defence in 2026.
• HTTPS with HSTS and certificate pinning on critical applications. The browser refuses to connect to sites without a valid certificate or with a certificate different from the expected one.
• DNSSEC on own domains. If your zone is signed and the client's resolver validates, poisoning against your domain fails.
• Trustworthy validating DNS resolver. In enterprise, internal resolver with DNSSEC enabled. For home users, public validating resolvers (Google 8.8.8.8, Cloudflare 1.1.1.1, Quad9 9.9.9.9).
• SOHO router policy. Inventory, updated firmware, unique credentials, disable remote administration from the Internet.
• Modern EDR that detects hosts modification and trojan behaviour.
• Awareness. Training the user to check the browser lock on sensitive sites and distrust browser warnings about certificates.
• Blocking unauthorised DNS over HTTPS. In corporate environments, prevent the user's browser from using DNS-over-HTTPS toward uncontrolled resolvers that could bypass internal DNS telemetry.
• Registrar monitoring. Domain lock at the registrar, strong MFA on the account, alerts on changes in NS records and critical DNS records. The most expensive but most impactful vector.

Compliance fit

For regulated Spanish companies, pharming risk falls under several frameworks:

• NIS2 (article 21). Risk management measures, including network and communications security. If an affected company doesn't have centralised, validated DNS, the non-compliance is defensible in an audit.
• DORA (article 9). ICT requirements in financial services. Financial entities have additional scrutiny on DNS and BGP.
• ISO 27001:2022 (controls 8.20 secure networks, 8.21 network services, 8.7 malware protection). Require segmentation, secure configuration and provider documentation.
• ENS Royal Decree 311/2022. Measures op.exp.10 (information in transit protection) and op.exp.6 (malicious code protection).
• PCI DSS v4.0 (req. 1, 4, 6). Network configuration, encrypted transmission and secure development.
• GDPR. An incident leaking credentials or personal data through pharming is a notifiable breach.

Frequently asked questions

What's the exact difference between phishing and pharming?

Phishing tricks the user into acting (clicking, typing credentials). Pharming tricks the resolution system into taking the user to the fake site even if they act correctly. In phishing the URL is usually similar but different; in pharming the URL is the real one, what gets manipulated is the IP it points to.

Does HTTPS protect me against pharming?

In most cases yes. The fake site needs a valid certificate for the real domain, and getting it isn't trivial. The attacker can try to issue a certificate for a homograph domain (with similar characters) or, in scenarios with a compromised CA or registrar, get legitimate certificates. The real defence is HTTPS plus HSTS plus certificate pinning plus strong MFA.

How do I know if my hosts is modified?

Opening the file (C:\Windows\System32\drivers\etc\hosts on Windows, /etc/hosts on macOS and Linux) and checking there are only known entries. Modern antivirus tools and EDRs automatically alert on modifications. If you find IPs pointing to banking, social or corporate domains, assume compromised and proceed with full cleanup.

Is DNSSEC enough?

Not by itself. DNSSEC signs responses and prevents poisoning, but only if both the origin zone and the final resolver validate. Today coverage is partial. DNSSEC is necessary but not sufficient: layered defence with MFA, strict HTTPS and EDR remains critical.

Can an attacker do pharming through public Wi-Fi?

Yes. An attacker controlling a Wi-Fi access point can deliver DHCP configurations with DNS servers they control. Any non-DNSSEC resolution going through that DNS can be manipulated. Defence: corporate VPN, DNS over HTTPS toward trusted resolvers, don't enter sensitive credentials from public Wi-Fi networks without additional protection.

Does pharming also affect mobile applications?

Yes. Apps use DNS resolutions from the operating system. An Android or iOS device with DNS compromised at the Wi-Fi configuration level (or in carrier accounts via SIM or eSIM manipulated in extreme scenarios) is exposed. Modern apps with certificate pinning are the main defence.

Is pharming illegal in Spain?

Yes. Constitutes at least the crime of discovery and revelation of secrets (article 197 of the Penal Code), computer intrusion (article 197 bis) and, depending on destination, computer fraud (article 248.2). The AEPD additionally sanctions for unlawful processing of personal data obtained. Sentences range from 6 months to 6 years in prison plus administrative sanctions.

Related resources

• Types of malware: family where the trojans executing hosts modifications for local pharming sit.
• What is a SIEM: platform where anomalous DNS resolution spikes get detected.
• What is an EDR: control that detects hosts modification and trojan behaviour.
• What is threat hunting: discipline hunting DNS poisoning patterns before they trigger automatic alerts.
• What is Man in the Middle: broader category where pharming sits as a name-resolution-focused variant.

Pharming defence at Secra

At Secra we address pharming risk on three usual fronts: review of DNS and registrar configuration (lock, MFA, DNSSEC, change monitoring), validation of the TLS certificate stack and HSTS policies of critical applications, and audit of SOHO routers and DHCP configurations in remote offices. In Red Team projects we include controlled DNS redirection tests to validate whether the client's defensive controls detect the pattern. If you want to understand how long your organisation would last against a combined phishing and pharming campaign, get in touch via contact.