Pharming: how to protect yourself and remain vigilant

Pharming is a sophisticated form of online fraud. Because the technique is hard to detect, it poses a threat to even the most vigilant internet users. Here we explain exactly how pharming works, what to watch out for, and how to protect yourself from this discreet-yet-dangerous online menace.

The pharming definition combines “farming” and “phishing.” The core principle is the same as phishing: criminals lure victims into a trap and deceive them into handing over sensitive information. But there’s a crucial difference. While phishing requires the target to consciously click a link to visit a fraudulent website, pharming uses malicious code to redirect automatically—even when the user types the correct web address.

How is this possible? Well, pharming is particularly cunning, because it exploits the very foundation of how the internet operates. To forewarn you, it’s about to get technical. But don’t worry—understanding what you need to know to stay safe is fairly straightforward. A little knowledge goes a long way.

Security at N26

Your security is our priority. Arm yourself with our tips to protect yourself online.

Check N26 Guide to Secure Online Banking

Defending yourself against pharming attacks can feel like a challenging  task. But the good news is that there are precautions to take to ramp up your security. The first line of defense starts with your personal computer. Make sure you’re protected with antivirus, antispyware, and you have your firewall switched on.

Additionally:

• Always check for secure web connections (HTTPS), indicated by the padlock on Chrome. However, an SSL certificate is the only indicator of trust—a report by the Anti-Phishing Working Group (APWG) found that by the end of 2019, 74 percent of phishing websites use SSL.
• Consider using a VPN (Virtual Private Network) which uses reputable DNS.
• Change the default password on your router.

Essentially, if something seems “off” about a website, be cautious and don’t proceed without investigating first. This may be as subtle as: spelling and grammatical errors, odd-looking formatting, varying font sizes, etc.

It helps to choose services which take security seriously. At N26, we have implemented a number of preventative measures to keep your account secure, like smartphone pairing, secure login, and the option to customize security settings directly within the N26 app.

Before jumping into an explanation of the two types of pharming attacks, let’s briefly explain how internet browsing works. When browsing the web, we input domain names, such as N26.com or Facebook.com, to visit a website. However, a website’s actual location is defined by its Internet Protocol (IP) address. Think of this as the computer’s language.

Web browsers locate websites based on their IP addresses, not a domain name. Imagine trying to find a location you’ve never been to before. You may use a city name, a district, a street address, a postcode to point you in the right direction. These naming systems are similar to domains. An IP address is the equivalent of the precise coordinates of a location.

To translate huge numbers of domains into IP addresses, the internet needs its version of a directory. That’s where Domain Name System (DNS) servers come in. A DNS server translates domain names into IP addresses. It points your web browser to the precise location, after you enter the domain.

When a domain is translated into an IP address, it finds the correct location by contacting a DNS server online. To speed up the process, data is temporarily stored so that your computer has fast access to a website’s location. Rather than contact an external DNS server, the information is stored on your computer.

This storage process is referred to as a DNS cache—your personal directory stored directly on your device. Most modern web browsers store information in a DNS cache automatically. This cuts out the middleman and results in faster browsing. Unfortunately, shrewd online criminals have found a way to exploit this system.

Understanding how the internet functions helps explain how criminals exploit the system. There are two types of pharming attack: malware-based and DNS server-based. The first influences  a computer directly by exploiting the DNS cache and changing its settings. The second method is more sophisticated since criminals attack the DNS server itself, without accessing individual computers.

Malware is malicious code installed onto a computer, either from a corrupt email or dodgy download. Malware-based pharming uses such code to redirect the victim’s browser to a fake website which is controlled by fraudsters. This technique is particularly troublesome as the user enters a legitimate URL (or even follows a bookmark) before being redirected.

The subtle rerouting appears behind the scenes. That’s because the malware has been installed and changes the computer’s local host files and DNS cache. These files contain the directory used to translate domains to IP addresses. By altering this information, a legitimate domain translates to an IP address linked to a fraudulent website.

To make matters worse, this website is designed to mimic the genuine site. So not only do you enter an accurate URL, you also end up on a page that imitates the real-deal. Any information entered on this site is sent straight to hackers to exploit for fraud or identity theft. 

DNS server-based pharming is the next-level in pharming attacks. Rather than aim for a single user by infecting their computer with malware, criminals target the server directly. A corrupted server redirects users to a fake IP address, even when an individual computer is completely fine and uninfected. This type of attack isn’t linked to individual files, because it’s the server itself which is “poisoned” and will redirect visitors even when the right URL is entered.

Because of the level of potential threat with DNS server poisoning, large corporations invest a lot of money into sophisticated anti-pharming measures. The risk in being on the receiving end of such an attack—whether through the financial loss of individual customers or reputational damage—makes cybersecurity a top priority.

Security at N26

At N26, security is our priority. Discover a 100% mobile banking experience

Learn more about security at N26

In addition to the steps you can take to protect yourself, you may be wondering what we’re doing on our side to keep you safe. Well, read on!

Each time our customers interact with our services, data packets are transferred back and forth—from one endpoint to another. So that we can maintain a secure communication channel, and prevent unauthorised third-parties from intercepting sensitive information, we encrypt those data packets using TLS, or Transport Layer Security, protocol.

We’ve embedded a trusted certificate into our web-app which validates connection requests based on certificate-matching. If a connection request is made, and the client (web browser) detects a certificate that does not match, the connection request will be refused—this ultimately prevents end-users from connecting to potentially malicious sites.

Unfortunately, this doesn’t protect a computer locally. As explained above, attackers may (rarely) target users directly. It is, therefore, advisable that you search for untrusted certificates on your computer. If you’re unsure about how to do this, seeking advice from somebody with knowledge and experience on this topic is best.

HSTS, or HTTP Strict Transport Security, is the most up-to-date version of Secure Socket Layer (SSL) encryption. It allows for trusted interactions to take place between browsers and websites.

HSTS protocol contains encryption sub-layers, such as: a hardcoded list of trusted websites; this is known as the HSTS preload list. Well-known, trusted browsers such as Google Chrome and Firefox have integrated a HSTS mechanism that is activated by default, which means you don’t have to do anything to benefit from this additional layer of protection.

HSTS protocol standards are maintained by the Internet Engineering Task Force (IETF), an open organisation which is managed entirely by volunteers, and whose work is funded by sponsors around the world. Legitimate companies like N26 must fulfill a strict set of requirements before joining the list. Once added, members must continually act in accordance with IETF policies, otherwise, they will be removed. If you’d like to learn more, click here.

The bank account that gives you more control

Spend and save with confidence, and discover a better way to manage your money

Get bank account (new tab)