Phishers Build Deceptive Links with DNS Wildcards 245
1sockchuck writes "In the continuing evolution of the phisher, the latest scams are crafting deceptive email links that include a bank's URL, but send victims to a phishing spoof site. The phishers are combining wildcard DNS, URL encoding and redirection services to construct the URLs. Netcraft has examples of emails that presented barclays.co.uk in the URL but sent clicks to a spoofed page at a server in Moscow. A DNS cache poisoning attack over the weekend also highlights the potential use of DNS tricks in 'pharming' (phishing using redirection rather than bait emails)."
Very confusing (Score:5, Informative)
Its very simple... (Score:4, Informative)
DNS cache poison can be stopped (Score:5, Informative)
To the extent of my knowledge, only two recursive DNS servers have this level of DNS poison protection: DjbDNS' dnscache [cr.yp.to] and MaraDNS [maradns.org].
It is also important to have bailwick protection. Basically, the recursive DNS server needs to look at a DNS reply, and filter out any answers not in the bailwick. Older DNS servers (and possibly poorly written embedded DNS caches and recursive servers) will get a reply like "www.paypal.com has the ip 10.1.2.3" to the question "what is the ip for www.phisherscum.com?", and incorrectly cache the data for www.paypal.com instead of saying "I didn't ask for paypal.com's ip, so I'll ignore this data as being out of bailwick".
Additionally, it improves security to restrict which IP addresses are allowed to make remote DNS queries. This is best done at the firewall level (don't allow any UDP connections to port 53 from the internet at large unless you have some domains hosted by the machine in question). This stops malicious servers sending a large number of requests to your dns server for www.paypal.com, and a number of bogus answers "www.paypal.com has the IP of some phishing site in China; remember this until 2007", until one of the answers looks valid and fools your DNS server.
In summary, by using a secuirty aware DNS resolver, you can minimize, if not eliminate the chances of being vulnerable to bogus DNS data.
Re:Stupid (Score:1, Informative)
Interesting timing (Score:1, Informative)
Spoofstick (Score:5, Informative)
Re:My Anti-Phisher Scripts (attached) (Score:4, Informative)
Re:It takes some evangelizing (Score:2, Informative)
Re:Passwords should work both ways (Score:4, Informative)
Re:Passwords should work both ways (Score:2, Informative)
Re:Very confusing (Score:5, Informative)
This says that http://barclays.co.uk|snc9d8ynusktl2wpqxzn1anes89g i8z.dvdlinKs.at/pgcgc3p/
goes to the kickme.to web site. THis applies to anything replacing the *.
Internet Explorer misreads the | as a network redirect (from NT4) and ignores the rest in URL so people think that they are going to Barclays Bank since that is what shows up in information windows.
You missed the cache part (Score:5, Informative)
No. That is not cache poisoning, since it doesn't poison a cache. All DNS servers will cache records that they had to look up. It works like this: Someone queries a DNS server, asking what IP an address maps to. This DNS server doesn't know, and must query another server to find out. Our DNS server sends the query out to another DNS server that would know the answer (the authoritative server for that domain) and waits for a response. When it receives this response, it answers the original query and caches the response so the next time the same query is made it has the answer.
What the attacker does is sends out several (as in, a LOT of) queries to a DNS server for a name, say bank.com. Then, the same attacker sends out several (!) spoofed answers to this query, saying that bank.com maps to a certain address, which is actually some server the attacker controls. The goal is that your bogus response will beat the real response and be accepted by the target DNS server. If the attack is successful, this bogus answer is cached, so when someone else goes to look up bank.com from that particular DNS server, they get the IP of the attacker's server.
The trick is that a DNS server will pick a random number that it assigns to the query sent out to the next DNS server. The response must contain this number for it to be accepted as authentic. The attacker very rarely can know what that number is, hence the large amount of query and answer packets that must be sent out (you are essentially trying to get lucky and hope that one of your fake response packet's number matches one of the server's query packets). In a perfect world, these numbers would be truly random and an immense amount of bandwidth would be required to get enough packets to the server to have a shot at guessing correctly. However, many of the DNS servers pick random numbers out of a much smaller field than they should.
Re:DNS cache poisoning? (Score:4, Informative)
One example of a cache poisining attack is for a DNS server to provide 'extra answers' for a query.
eg: dns resolver (for an ISP) asks ns.network.net for the records for www.network.net, because some user wants to look at it. No problem it says, and gives back the address of www.network.net.
However, if ns.network.net was malicious, it might also give the address of www.bank.com. If the resolver then accepted this address of www.bank.com and entered it into its cache, well, www.network.net has just taken control of www.bank.com.
(This is why various DNS resolvers have features to ignore additional answers to queries, or ignore answers outside the 'bailiwick' of the server, or things like that. Glue records do make the situation more complex than I've described.)
Re:Its very simple... (Score:2, Informative)
Common Name: ibank.barclays.co.uk
Organization: Barclays Bank Plc
OU: Enable
And was issued by Verisign, expires on 03/08/2005 (UK format).
Which all looks OK, but as I have never had a bank account at Barclays I went there and let them have some crap data.
Re:Call me sick and sadistic, but...... (Score:2, Informative)
5473 0000 0000 0007 (Mastercard)
4111 1111 1111 1111 (Visa)
4444 3333 2222 1111 (Visa)
3434 343434 34343 (American Express)
Just make up a future expiry date.