Mobile pharming – same attacks – different seeds

old combine farming great depression dust bowl combine harvestor antique 000003220203

I recently wrote a blog on mobile phishing titled:  Mobile phishing – same attacks – different hooks. There was so much feedback that I’ve decided to a write a few more posts around mobile security differences. Since I’ve already talked about phishing, let’s take a closer look at pharming.

Like phishing, pharming has been around for a long time and also like phishing, that’s because it simply works.  In the most general sense, pharming works by having a victim’s web traffic redirected to a fake, malicious site. This can happen via a compromise on the victim’s system that redirects their system’s traffic or another mechanism like a compromised DNS server (DNS Spoofing or DNS Cache Poisoning) that redirects many systems to fake, malicious sites.

Now consider September 2015’s  XcodeGhost and its variants. XcodeGhost is a nefarious version of Apple’s integrated development environment,  Xcode, that started getting well known when it found its way into Apple’s App Store. Most simply, if an app was developed with XcodeGhost it could be potentially compromised even though the developers using the XcodeGhost programming framework may not of had malicious intent. Once they submitted their app to the App Store, the “Ghost” came along for the ride.

Once installed on an iPhone, the malicious code searches for information like the device name, type, location, language, network and the like and sends the details to an external server. From there the iOS device can be remotely commanded to trick the user into divulging information like passwords and IDs with fake prompts. Also the user can be directed to websites to including malicious pharming websites.

If you want to learn more about XcodeGhost, the BBC put together a great article.  Now with that very abbreviated primer or refresher on XcodeGhost, let’s get back to pharming.


If I want to conduct pharming on a mobile device, XcodeGhost can provide a phone-home mechanism built directly into the app, downloaded from the official Apple App Store and do all this without the victim being aware of the compromise.

If the before mentioned DNS compromise is in play and the mobile device attempts to go to a legitimate site, it can still be directed to a malicious site. Also if the mobile device is running a compromised app because of XcodeGhost for example and thus can be controlled, it then becomes trivial to direct a user to a pharming site. Pharming is thus successfully achieved and the vehicle is a compromised mobile application.

Like phishing attacks on mobile, pharming has similarities to non-mobile platforms and unique mobile scenarios that need to be considered by stakeholders.

Copyright © 2016 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)