0 Replies Latest reply on Dec 13, 2007 9:30 AM by HarryWaldron

    Malicious DNS servers could enhance Phishing attacks

      :eek: DNS translations change web addresses like www.microsoft.com to a numerical IP address. The translated numerical IP address is what is actually used in the web site lookup process. This potential attack is alarming as vulnerable PCs could be hijacked to always point to a malicious DNS server for all Internet access.

      As the articles reflect these DNS hijacking exploits could serve up the correct web addresses most of the time and redirect users only once in a while. The alarming part of this is that users may feel they are doing valid online transactions, but are in essence giving the bad guys their bank account, credit card, or other identification.

      To reduce these risks, users should stay up-to-date on all security patches and AV protection. They also be careful with email attachments and web links.

      Articles: DNS Attack Could Signal Phishing 2.0
      http://www.pcworld.com/article/id,140465-c,onlinesafety/article.html
      http://www.circleid.com/posts/malicious_open_recursive_dns_servers/
      http://www.infoworld.com/article/07/12/11/DNS-attack-could-signal-Phishing-2.0_1 .html

      QUOTE: Researchers at Google and the Georgia Institute of Technology are studying a virtually undetectable form of attack that quietly controls where victims go on the Internet. The study, set to be published in February, takes a close look at "open recursive" DNS servers, which are used to tell computers how to find each other on the Internet by translating domain names like google.com into numerical Internet Protocol addresses. Criminals are using these servers in combination with new attack techniques to develop a new generation of phishing attacks.

      The Georgia Tech and Google researchers estimate that as many as 0.4 percent, or 68,000, open-recursive DNS servers are behaving maliciously, returning false answers to DNS queries. They also estimate that another two percent of them provide questionable results. Collectively, these servers are beginning to form a "second secret authority" for DNS that is undermining the trustworthiness of the Internet, the researchers warned.

      Here's how an attack would work. A victim would visit a Web site or open a malicious attachment that would exploit a bug in his computer's software. Attackers would then change just one file in the Windows registry settings, telling the PC to go to the criminal's server for all DNS information. If the initial exploit code was not stopped by antivirus software, the attack would give attackers virtually undetectable control over the computer.

      Once they'd changed the Windows settings, the criminals could take victims to the correct Web sites most of the time, but then suddenly redirect them to phishing sites whenever they wanted -- during an online banking session, for example. Because the attack is happening at the DNS level, anti-phishing software would not flag the phoney sites.

      "It's really the ultimate back door," said Chris Rouland, chief technology officer with IBM's Internet Security Systems division. "All the stuff we've deployed in the enterprise, it's not going to look for this."