The user request is redirected by manipulating the DNS protocol. The protocol is responsible for converting the text-based host name (URL address) into a numerical IP address. This conversion process offers criminals two points of attack in order to redirect the request.
1. Attacking the hosts. File
With every website request, the computer first accesses the local hosts. file to check whether the website has been visited before and if the IP address is already known.
Attackers can exploit this process. They can install malware on the computer, for instance via email attachments infected with viruses or using Trojan horses on websites. These manipulate the record of IP addresses, thereby redirecting any request to the fraudulent site.
2. Attacking the DNS Server
Another more elaborate approach to pharming is to directly infect the DNS server, from where the IP address is requested after a user enters a URL. This technique is particularly insidious: Although the user’s computer itself isn’t infected with malware, it becomes the victim of an attack.
The attack occurs via a process called DNS flooding. Here, the server is suggested an address resolution before it is able to find the correct assignment.