Problem solve Get help with specific problems with your technologies, process and projects.

Phishing vs. Pharming attacks

Learn how phishing attacks differ from pharming attacks and whether or not pharming attacks still threaten, in this information security threat Ask the Expert Q&A.

How do phishing attacks differ from pharming attacks? Are pharming attacks still prevalent?

Phishing attacks typically involve an attacker sending emails that appear to be from an e-commerce company, in attempt to trick recipients into going to a malicious, imposter Web site and providing their sensitive information. Phishers build their imposter Web sites to look like the real Web site, and try to disguise links to their imposter sites so they seem legitimate to the unsuspecting victim.

While they are related, pharming attacks are indeed different. Pharming is when an attacker tricks a DNS server into caching a bogus entry for a domain name for an e-commerce site. Then when a user types the domain name for that site into a browser, the DNS server provides a cached record of an evil site. The user is "pharmed" via DNS cache poisoning.

Unlike phishing attacks, email is usually not involved in pharming attacks because the attackers use real domain names, not disguised or obfuscated URLs. They poison the DNS server and force it to direct those genuine domain names to attacker controlled IP addresses.

From February 2005 to August 2005, we saw a large number of pharming attacks, due to common misconfigurations of DNS servers that made them accept the poison. While we still see a trickle of pharming attacks today, most DNS servers have improved their poisoning defenses, thereby lowering the incident of attacks. Don't be fooled, though, they are still out there and we need to be diligent. If you run a Windows-based DNS server, make sure you have selected the "Secure Cache Against Pollution" option in the configuration GUI (the default for recent versions of Windows DNS server). Also, never use Windows DNS servers configured to forward requests through BIND 4 or 8. Windows DNS servers acting as forwarders should always go through BIND 9, which can cleanse potentially poisoned records.

More on this topic

  • Help your organization avoid a phishing attack.
  • Learn how to secure your email systems; visit our Email Security All-in-One Guide.
  • Learn how attackers are using VoIP to solicit phone phishing scams.
This was last published in July 2006

Dig Deeper on Email and Messaging Threats-Information Security Threats