Phishing
According to research firm Netcraft, phishers have begun to use wildcard DNS records to help trick unsuspecting users into giving up information about their identity.
Wildcard DNS help users arrive at their intended Web destination by redirecting mistyped and/or errant addresses. But wildcard DNS has been used against Barclays Banks in the U.K with e-mail using an additional sequence of characters that ultimately leads the user to a phisher’s site.
A similar type of attack vector specific to Microsoft Internet Explorer was
reported last month by security researcher Bitlance Winter. In that attack, an identifiable URL also has a string of characters or additional domain information added that directs a user to a different address than the one they see in the visible toolbar.
The technique, known as DNS cache poisoning, is also being utilized by phishers in an attack know known as “pharming” where a poisoned DNS server redirects users to the phisher’s Web site. The “poison” is essentially false DNS information that is injected into a vulnerable DNS server.
According to Netcraft, an attack this past Saturday exploited a known vulnerability in Symantec’s firewall product. The firewall vulnerability had not been patched by Symantec last year. The Saturday attack redirected user requests from eBay, Google and weather.com to a trio of phisher-directed sites.
Dave Jevans, chairman of the Anti-Phishing Working Group, told
internetnews.com that he has seen an increase in Wildcard DNS and DNS pharming attacks with several new ones this year targeting North American institutions.
“UK has seen an increase since December 2004,” Jevans said. “Some of these attempt to implement man-in-the-middle attacks too.”
The DNS system itself has been the subject of proposed enhancements like DNSsec to guarantee better security for users. DNSsec is short for DNS Security Extensions, which are supposed to include integrity and authentication checks to DNS data.
“DNS-sec has been in the works for some time, but not really rolled out except maybe at the Verisign root. Recent events are going to spur something here, I think,” Jevans said.
DNSsec however won’t necessarily stop all pharming activity though.
“Most pharming is using DNS poisoning at the personal PC level (eg. add entries to the local hosts file). Fixing DNS servers won’t prevent this,” Jevans explained. “Mutual authentication (possibly two-factor) would be a big help, however.”
The APWG recently reported that phishing attacks rose by 42 percent from December 2004 to January 2005.
