Phishers Turn To Devious DNS Tricks

"What I'll call, for lack of a better term, the 'old way' of phishing -- sending e-mail, enticing people to a bogus Web site -- didn't rise as dramatically as it has in the past," said Dan Hubbard, the senior director of security at Websense, which released the latest phishing data in concert with the APWG. "But phishers are changing to other attack vectors. The attacks have changed."

The APWG's numbers bear out the flattening in the rise of both "traditional" e-mail phishing attacks and the phishing sites hosted by criminals. The number of e-mailed phishing campaigns climbed by just 2 percent in March over February, noted Hubbard, while the APWG's data showed a 6.8 percent increase in the number of active phishing sites.

"I don't know if users are any less nave," said Hubbard, "but I think the message's gotten across that it's dangerous to open file attachments. And some ISPs are simply blocking attachments as a way to stem phishing."

But it's those kinds of changes in behavior -- and technology defenses deployed by enterprises and Internet providers -- that's making phishing criminals look for other ways to steal identities and pillage bank and credit card accounts.

Sponsored post

The trend of phishers using other techniques to separate users from their cash is accelerating, said Hubbard, who said that over the last two months, Websense's labs have been monitoring a "dramatic increase" in phishing attacks based on malicious code, not e-mail.

In particular, phishers are increasingly planting keyloggers -- malicious programs that spy out keystrokes, sometimes only those keystrokes associated with logging on to an online banking site -- to filch identities. From November through December 2004, Websense found a weekly average of 1 to 2 new phishing keyloggers and 10 to 15 sites hosting the Trojans that carried the keyloggers. By February and March 2005, however, those numbers had multiplied five to ten times: Websense saw 8 to 10 new keyloggers and more than 100 malicious sites hosting them each week during those months.

Other tactics phishers are using in ever-larger numbers, said Hubbard, include adult Web sites that exploit Internet Explorer vulnerabilities to plant malicious code on PCs without any user interaction, instant message spam (dubbed "spim" that entices users to nasty sites that plant keyloggers, and Trojans attached to spam that when run by the recipient (by simply opening a file attachment), installs a keylogger.

Brazil is at the forefront of such phishing tactics, said the APWG's latest report. A recent attack there that Websense monitored, said Hubbard, began with a 100,000-message spam campaign in Portuguese that claimed to include a digital tune. When users clicked on the attachment, a malicious executable was actually served up from a U.S.-based hosting service, and installed a keylogger that watched for banking log-on attempts.

"We don't know if Brazil is just ahead of the curve," said Hubbard, "which could mean that we're in for the same at some point, or if the users are more likely to take the phishers' bait."

Other groups are reporting new -- and even sneakier -- techniques on the part of phishers. Details of a new phisher tactic have been disclosed both by the SANS Institute and on a security mailing list which involve botnets, collections of compromised or infected PCs.

Phishers have long used botnets to host their fake Web sites, using these machines -- whose owners don't know the felonious purposes the PCs are being put to -- rather than commercial hosting services. But now they're also using the botnets to host their own bogus domain name system (DNS) servers.

(DNS servers are the machines which resolve URLs to the actual IP addresses of a site.)

"The idea," said Hubbard, "is that they modify your machine so that it points to a falsified DSN server on one of their bots. That fake DSN server then points to a bunch of bogus IP addresses for real URLs."

The tactic is a bit like DSN pharming, where legitimate DNS servers -- usually those in enterprises, since they're easier to reach than those at ISPs -- are hacked to point Web users to illegitimate URLs, said Hubbard. "But rather than have to attack a DSN server, which can be difficult, they just have to infect your PC with malicious code."

Phishers, said both the SANS Institute and a posting on the Dailydave security mailing list, are also using bot-hosted DNS servers to stay ahead of the authorities, and keep their sites up and running longer before someone shuts them down.

The Dailydave mailing list laid out the process.

"The hostname that is hosting the phishing site is served up by five different name servers. Those five name servers are on home computers residing on networks such as Comcast, Charter, etc.

"The name servers are using some sort of round-robin DNS to serve up five different IP addresses for the phishing site, and the five IP addresses used are changing every ten to fifteen minutes.

"All of this seems to be a distributed phishing scam controlled by some sort of bot network. This type of phishing site organization is virtually impossible to get shut down, other than having the registrar of the domain deactivate the domain. Anyone that has ever worked with a registrar on something like this knows that it's like speaking to a wall."

"These DNS servers can change the IP address of the fake site over and over again," said Hubbard. "Say the fake site is hosted in China, but is quickly shut down. The phisher just has to change the bogus DNS server and anyone clicking on a phishing link would get sent to another machine, maybe now in the U.S., that's hosting the phony site."

"Phishers are getting smarter," he said.