“Pharming” is a type of cyber-attack that redirects Internet users to fraudulent websites that mimic the appearance of legitimate ones, in order illicitly to obtain login credentials and/or other protected information. Pharming often involves attacks on DNS (Directory Name System) servers on the Internet. DNS servers store associations between Internet hostnames and corresponding IP (Internet Protocol) addresses. Programs such as web browsers on user computers access DNS servers to resolve hostnames to corresponding IP addresses. When a user attempts to visit a website, e.g., by clicking a link or entering a hostname for the site in a field of a web browser, the user's computer may contact one or more DNS servers on the Internet to obtain the IP address for the site and then contact the site via its IP address to access the site's content.
Pharming attacks on DNS servers attempt to replace IP addresses of legitimate websites with those of fraudulent ones. By changing an IP address on a DNS server to that of a bogus site, a pharming hacker can redirect literally thousands of users to the bogus site. Compromised DNS servers are commonly referred to as “poisoned.” Users may think they are going to a legitimate site, but the users are instead directed to the bogus site, which may resemble the legitimate site and may extract protected information from users under the guise of legitimacy.
Security services have been developed to discover and prevent pharming attacks. These services query DNS servers on the Internet and compare IP addresses for particular hostnames with known-valid IP addresses for those hostnames. If an IP address for a site obtained from a DNS server does not match the known-valid IP address for that site, the security service generates an alert to inform an operator of the site that a pharming attack may be underway.