ATTACK TECHNIQUES

Pharming explained: how DNS hijacking sends you to a fake site even when you type the right address

You type your bank's address yourself. The padlock shows. The page loads. And it is still a clone. Pharming is the attack that breaks the one rule everyone is taught: "just type the address yourself."

SB

SafeBrowz Threat Research Security ResearchJune 15, 202611 min read

What pharming is, in plain terms

Every time you visit a website, your device does a quiet lookup first. You type a name, like your-bank.com, but computers do not connect to names. They connect to numeric IP addresses. The Domain Name System, or DNS, is the phone book that translates the name into the number. You never see it happen. It takes a few milliseconds and the page loads.

Pharming attacks that phone book. If an attacker can change the answer your device gets, the name stays the same but the number points to their server. You typed your-bank.com. The address bar shows your-bank.com. But the page came from a machine the attacker controls, serving a pixel-perfect copy of the login screen. You sign in, and your credentials go straight to them.

The word is a blend of "phishing" and "farming." Where a phisher casts out a single lure and hopes one person bites, a pharmer poisons the well once and harvests everyone who drinks from it. One hijacked router can quietly redirect every device in a house or a small office.

Pharming vs phishing: the difference that matters

People use the two words interchangeably, but the mechanics are opposite, and the difference changes how you defend.

In a phishing attack, you have to do something. You click a link in an email or a text, and that link carries you to a lookalike domain or a cloned message. The fake address is visible if you look. The whole defense is "check the URL before you act," and verifying the sender before you click.

In a pharming attack, you do nothing wrong. You type the real address from memory, or you click your own saved bookmark, and the redirect happens underneath you. There is no bad link in your inbox. The URL in the bar is correct. "Check the URL" does not save you here, because the URL is genuinely the one you wanted. That is what makes pharming feel impossible and why the defenses are different: you have to watch the certificate, the password manager, and the health of your router instead of the link.

The three ways pharming actually happens

There is no single pharming technique. There are three places an attacker can corrupt the lookup, and they range from "anyone with a cheap kit" to "nation-state operation."

1. Router DNS hijacking

This is the most common version, and the most dangerous, because it poisons every device on the network at once. Your home router holds the DNS settings for your whole house. If an attacker changes which DNS server your router uses, every phone, laptop, and smart TV behind it inherits the poisoned answers.

They get in three ways. The first is the router's default admin password, which a large share of people never change, leaving the admin panel open to anyone who guesses admin/admin or password. The second is an unpatched firmware vulnerability that lets an attacker reach the settings remotely. The third is DNSChanger-style malware, a family that dates back to a major operation the FBI dismantled in 2011 and which has never really gone away, that quietly rewrites the router's DNS from an infected device on the network.

This is not theoretical or old. In April 2026, Microsoft's security team documented a campaign in which compromised small-office and home routers were used for DNS hijacking and adversary-in-the-middle attacks. The same operation, attributed by the FBI and CISA to the Russian military intelligence actor APT28 (also called Forest Blizzard), exploited known vulnerabilities in thousands of TP-Link and MikroTik routers since at least 2024, redirecting DNS requests to attacker-controlled resolvers that served fake records for services like Outlook Web Access to harvest logins. At its peak the operation reached roughly 18,000 devices across 120 countries. Kaspersky has tracked criminal (non-state) versions of the same router-DNS trick redirecting home users to phishing pages for years.

2. Hosts-file malware on your device

Every computer has a small local file that the operating system checks before it ever asks a DNS server: the hosts file. It is a plain text list that maps names to IP addresses directly, and whatever it says wins. It exists for legitimate reasons, like testing a website locally. Malware abuses it.

A piece of malware that lands on your machine, often through a fake download or a malicious attachment, can add a single line to the hosts file: your-bank.com pointing at the attacker's IP. From that moment, that one machine goes to the fake site even if you type the address perfectly or click your own bookmark. The router is fine. The network DNS is fine. The poison is local to that device, which makes it harder to notice and means the fix is to clean the malware and the file, not to reset the router.

3. DNS cache poisoning and rogue resolvers

The third version attacks the DNS infrastructure itself rather than your hardware. A DNS resolver caches answers so it does not have to ask the same question twice. In a cache poisoning attack, an attacker floods the resolver with forged responses; if one forged answer is accepted before the real one arrives, the resolver stores the fake mapping and hands it to everyone who asks. Until that cache entry expires, a correctly typed address resolves to the attacker's server for every user of that resolver.

A related move is the rogue resolver: a DNS server set up purely to lie, which users get pointed at through a hijacked router or a sanctioned hosting provider masquerading as legitimate DNS. Nation-state operations have weaponized DNS spoofing at scale; in 2024, researchers documented an actor dubbed Muddling Meerkat abusing DNS infrastructure for large-scale spoofing. Classic cache poisoning got much harder after the 2008 Kaminsky disclosure forced source-port randomization, and DNSSEC adds cryptographic signatures that make forged records detectable. But adoption is incomplete, so the attack class is not dead.

One caveat on testing: in a pure pharming attack the address bar still reads correctly, so pasting the genuine name into a checker can return SAFE while a clone is being served behind that name from a poisoned IP. The checker is most useful for the lookalike pages that pharming campaigns also push through email and text, like the free-host clone below. To test it, click it: secure-bank-login.vercel.app is a generic bank-login lookalike on a free hosting subdomain, exactly the kind of page a redirect drops you on.

The red flags that give pharming away

Because the URL looks right, your warning signs move to the connection and your tools. These are the things to actually watch for.

• An unexpected HTTPS or certificate warning, which you must never click through. When the attacker's server cannot present a valid certificate for the real name, the browser throws a "your connection is not private" or "certificate error" page. On a site you visit every day, a sudden certificate warning is a screaming alarm. Do not click "proceed anyway." That button is the whole trap.
• The padlock is there but the certificate is wrong. A padlock only means the connection is encrypted, not that the site is who it claims to be. Click the padlock, view the certificate, and check that it was issued to the brand you expect. A clone often runs a valid certificate for the attacker's own domain or a generic one, not for your bank.
• Your password manager refuses to autofill. A manager like 1Password or Bitwarden binds your saved login to the exact origin. If it will not offer to fill on a page that should be your bank, that silence is one of the strongest signals you are not on the real site.
• The login page looks slightly off or asks for more than usual. Clones are copied at a point in time. Fonts, spacing, or a missing feature can be subtly wrong, and many clones over-ask: a real login wants a username and password, not your full card number, PIN, and one-time code on the same screen.
• Every site is suddenly redirecting, or ads appear where they never did. If multiple unrelated sites behave strangely from every device in the house, suspect the router, not the sites.
• A login that "fails" then quietly works on a retry. Some clones capture your first attempt, throw a fake error, then bounce you to the real site so the failure looks like a glitch. A login that failed once for no reason deserves a password change.

How to defend against pharming

No single setting stops all three vectors, so the defense is layered. Each habit closes one of the doors.

• Change your router's default admin password and update its firmware. This is the single highest-impact step, because it shuts the router-hijack vector that poisons your whole network. Pick a long, unique admin password, turn off remote administration if you do not use it, and apply firmware updates when the maker ships them.
• Use a reputable DNS resolver with DNS-over-HTTPS. Encrypted DNS (DoH or DoT) from a trusted provider stops on-path tampering and makes rogue-resolver redirection harder. Most modern browsers and operating systems let you turn it on in privacy settings.
• Scan for hosts-file and DNS-changer malware. Run a reputable anti-malware scan, and on a machine you suspect, check the hosts file for lines you did not add. A clean device is the only fix for the local-poisoning vector.
• Confirm a site's real identity with neutral lookup tools. When something feels off, check the domain's registration with a WHOIS service like who.is and scan the page through a sandbox such as urlscan.io or virustotal.com. These are safe research tools, not the scam, and they let you see the certificate and the resolving IP without entering any credentials.
• Never click through a certificate warning on a sensitive site. Stop, close the tab, and reach the site another way. The warning is the system telling you the identity does not check out.
• Bookmark your banking and email sites, and let the password manager be the gatekeeper. Reach sensitive sites from a saved bookmark and let your manager confirm the origin. If it will not autofill, do not type your password.
• Turn on two-factor authentication everywhere it is offered. If a pharming clone captures your password, a hardware key or an authenticator app blocks the attacker from finishing the login. Prefer app-based or hardware 2FA over SMS, which is weaker against text-based interception.
• Watch for whole-network symptoms. If redirects or strange ads hit every device, log into the router, check its DNS settings against your provider's values, and factory-reset it if anything was changed.

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

• Layer 1 - Local detection: 60+ URL patterns + 550+ brand-specific signatures (including Cyrillic and Punycode homograph variants) + community whitelist/blacklist, all running directly in the extension before the page renders.
• Layer 2 - API checks: aggregates Google Safe Browsing, PhishTank, URLhaus, ScamAdviser, and 30+ scam TLDs for known malicious destinations.
• Layer 3 - AI deep scan (Premium): 100+ language content analysis identifies brand-impersonation clones in seconds, even on a domain or host SafeBrowz has never seen before.

Detection signatures are derived from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history.

Here is the honest limit, because pharming is genuinely hard. A perfect DNS hijack that serves a flawless clone is one of the toughest attacks for any browser tool to catch, since the address bar reads correctly and nothing about the name looks wrong. SafeBrowz is not magic against that. What it does have going for it is that most real pharming clones are not perfect. They sit on a different IP than the genuine site, they present a certificate that does not match the brand, and they are frequently served from a lookalike host or a free-hosting subdomain that our content and brand analysis flags as impersonation. A certificate mismatch is the clearest single giveaway, and it is one a careful user and a content scanner can both catch. SafeBrowz raises that flag; it does not replace changing your router password, turning on encrypted DNS, and keeping a clean device. Treat it as one layer in the stack, not the whole defense.

FAQ

What is the difference between pharming and phishing?

Phishing needs you to click a bad link that carries you to a fake domain you can see in the address bar. Pharming needs no click: you type the correct address, but a poisoned DNS lookup silently sends you to a clone, and the URL in the bar still reads correctly. Phishing is defended by checking the URL; pharming is defended by checking the certificate, the password manager, and your router.

Can pharming happen even if I type the address myself?

Yes. That is the whole point of pharming. Typing the address by hand or clicking your own bookmark does not protect you if the DNS answer has been poisoned, because the name still resolves to the attacker's IP. The defense is to watch for a certificate warning and a password manager that refuses to autofill.

Does HTTPS or the padlock protect me from pharming?

Only partly. If the attacker cannot get a valid certificate for the real name, the browser shows a certificate warning, which is your tell. But a padlock alone only means the connection is encrypted, not that the site is genuine. Always click the padlock and confirm the certificate was issued to the brand you expect, not just that one exists.

How do I check if my router has been hijacked?

Log into your router's admin panel and look at its DNS server settings. If they point to an unfamiliar address rather than your internet provider's resolver or a DNS service you chose, that is a hijack. Change the admin password, restore the correct DNS or factory-reset the router, and update its firmware.

What does the hosts file have to do with pharming?

The hosts file is a local list your computer checks before asking any DNS server, and whatever it says overrides everything. Malware can add a line that points a real site name at the attacker's IP, so that one device goes to the fake site even when DNS and the router are clean. Cleaning the malware and removing the rogue line fixes it.

How can I tell a pharming clone from the real site?

Watch the connection, not the URL. A sudden certificate warning, a padlock whose certificate is issued to the wrong name, a password manager that will not autofill, and a login page that over-asks for card numbers or PINs are the giveaways. When in doubt, leave and reach the site from a known-good bookmark.

Is pharming still a real threat in 2026?

Yes. In April 2026 Microsoft documented a router-DNS-hijacking campaign tied to APT28 that the FBI and CISA linked to thousands of compromised TP-Link and MikroTik routers worldwide. Criminal router-hijack and hosts-file malware variants remain common. Cache poisoning is harder than it was thanks to source-port randomization and DNSSEC, but incomplete adoption keeps it alive.