• United States




Mobile pharming – same attacks – different seeds

Aug 09, 20163 mins
Mobile SecuritySecuritySocial Engineering

I recently wrote a blog on mobile phishing titled:  Mobile phishing – same attacks – different hooks. There was so much feedback that I’ve decided to a write a few more posts around mobile security differences. Since I’ve already talked about phishing, let’s take a closer look at pharming.

Like phishing, pharming has been around for a long time and also like phishing, that’s because it simply works.  In the most general sense, pharming works by having a victim’s web traffic redirected to a fake, malicious site. This can happen via a compromise on the victim’s system that redirects their system’s traffic or another mechanism like a compromised DNS server (DNS Spoofing or DNS Cache Poisoning) that redirects many systems to fake, malicious sites.

Now consider September 2015’s  XcodeGhost and its variants. XcodeGhost is a nefarious version of Apple’s integrated development environment,  Xcode, that started getting well known when it found its way into Apple’s App Store. Most simply, if an app was developed with XcodeGhost it could be potentially compromised even though the developers using the XcodeGhost programming framework may not of had malicious intent. Once they submitted their app to the App Store, the “Ghost” came along for the ride.

Once installed on an iPhone, the malicious code searches for information like the device name, type, location, language, network and the like and sends the details to an external server. From there the iOS device can be remotely commanded to trick the user into divulging information like passwords and IDs with fake prompts. Also the user can be directed to websites to including malicious pharming websites.

If you want to learn more about XcodeGhost, the BBC put together a great article.  Now with that very abbreviated primer or refresher on XcodeGhost, let’s get back to pharming.


If I want to conduct pharming on a mobile device, XcodeGhost can provide a phone-home mechanism built directly into the app, downloaded from the official Apple App Store and do all this without the victim being aware of the compromise.

If the before mentioned DNS compromise is in play and the mobile device attempts to go to a legitimate site, it can still be directed to a malicious site. Also if the mobile device is running a compromised app because of XcodeGhost for example and thus can be controlled, it then becomes trivial to direct a user to a pharming site. Pharming is thus successfully achieved and the vehicle is a compromised mobile application.

Like phishing attacks on mobile, pharming has similarities to non-mobile platforms and unique mobile scenarios that need to be considered by stakeholders.


Over the last two decades Brian Contos helped build some of the most successful and disruptive cybersecurity companies in the world. He is a published author and proven business leader.

After getting his start in security with the Defense Information Systems Agency (DISA) and later Bell Labs, Brian began the process of building security startups and taking multiple companies through successful IPOs and acquisitions including: Riptech, ArcSight, Imperva, McAfee and Solera Networks. Brian has worked in over 50 countries across six continents and is a fellow with the Ponemon Institute and ICIT.

The opinions expressed in this blog are those of Brian Contos and do not necessarily represent those of IDG Communications Inc. or its parent, subsidiary or affiliated companies.