Thursday, March 10, 2005

Phishers Turn To DNS Wildcards, Cache Poisoning

By Gregg Keizer
Courtesy of TechWeb.com

Phishers are using ever-more-sophisticated tactics, including DNS wildcards and DNS cache poisoning--the latter dubbed "pharming"--to separate consumers from their money, a British security firm said Tuesday.

According to Netcraft, criminals are now using DSN wildcards and URL encoding to create e-mail links that appear to be for legitimate sites, but actually send unwary consumers to fake Web sites, where phishers try to steal confidential information, such as bank or credit account numbers.

DNS wildcards--as in "*.example.com"--are typically used to guide mistyped or otherwise errant e-mails to their intended destination. In the past, DNS wildcards have been used by spammers, said Netcraft, but now they're showing up in phishers' toolkits.

Barclays Bank, for instance, has been hit by several Phishing attacks that use the wildcards. The spammed messages include a link that begins with the legit "barclays.co.uk" but is then followed by a long list of letters and symbols that encodes the bogus site's URL.

These wildcard links have been created at a third-party redirection service that then sends the user to the phisher's spoofed site, not the real Barclays URL, as the consumer expects. Once at the spoofed site--which looks like the real deal--the user can be tricked into entering account log-in info, which is then stolen by the hacker.

Not surprisingly, the fake site is hosted in Russia, a hotbed of phishing criminals.

Barclays knows of the trick, and has posted a warning on the front page of its banking site.

"Some customers have been receiving an e-mail claiming to be from Barclays advising them to follow a link to what appears to be a Barclays Web site, where they are prompted to enter their personal Online Banking details. Barclays is in no way involved with this e-mail and the Web site does not belong to us," the warning reads. "Barclays does not send e-mails to customers requesting security or any other confidential information."

Another advanced technique that has seen some use by phishers is DNS cache poisoning, a way to silently redirect users from real sites to spoofed copies, where dangerous spyware is loaded onto their systems. The tactic is sometimes called "pharming."

Last Week's DNS poisoning attack has been traced to a known vulnerability in Symantec's gateway-based security appliances, and allowed hackers to change information on a small number of local DNS servers, said Netcraft, to funnel real requests for major sites like Google.com and eBay.com to three hacker sites.

Symantec's bug was disclosed last June, and patches were issued then. While DNS-related redirects are rare--they're difficult to pull off, said Dan Hubbard, the senior director of security at San Diego-based Websense last week--Netcraft thinks the technique will soon be used by more phishers.

"[Last week's] incident has all the earmarks of a proof-of-concept," said Netcraft in its online alert. "New strategies are of interest to phishers, whose task has been complicated by growing vigilance by banks and their customers, as well as the emergence of defensive tools. Scammers are quick at layering new techniques atop existing spoofs and social-engineering tactics."

Netcraft offers a free toolbar that installs in Microsoft's Internet Explorer browser. It traps suspicious URLs using encoded characters, displaying the hosting location so that users can, for instance, easily see that what they thought was their U.S.-based bank is somehow being hosted out of China.