Slashdot Mirror

← Back to Stories (view on slashdot.org)

Phishers Build Deceptive Links with DNS Wildcards

Posted by ryuzaki0 on from the pointy-pointy-then-annointy dept.

1sockchuck writes "In the continuing evolution of the phisher, the latest scams are crafting deceptive email links that include a bank's URL, but send victims to a phishing spoof site. The phishers are combining wildcard DNS, URL encoding and redirection services to construct the URLs. Netcraft has examples of emails that presented barclays.co.uk in the URL but sent clicks to a spoofed page at a server in Moscow. A DNS cache poisoning attack over the weekend also highlights the potential use of DNS tricks in 'pharming' (phishing using redirection rather than bait emails)."

9 of 245 comments (clear)

  1. Re:Just don't read emails from the bank by log2.0 · · Score: 4, Insightful

    I know for sure that everytime I log into my netbank, it warns me about "Do not give your password to anyone, even us...blah blah blah"

    I think most banks do what you are saying its just that there are so many STUPID people out there who fall for these OBVIOUS (to us at least) scams.

    It is very frustrating that people fall for things like this and those dodgy African "lottery" wins that you didn't even enter.

    --
    Can your karma go above being Excellent?
  2. Re:Just don't read emails from the bank-Digital Fa by mvdw · · Score: 3, Insightful

    No, the problem is this: html email. What's wrong with plain text? I'm serious.

  3. It takes some evangelizing by erick99 · · Score: 4, Insightful

    I tell anybody who will listen - If you want to log in to your bank, then go to your banks URL yourself, manually, without the aid of a click-thru in an email or another website. Type in yourself. I doubt I am redundant enough but I try. We should be able to get to the point that nobody would ever click on an URL in an email to get to their bank or anything else on the web that has some connection to their money or wealth or whatever.

    --
    http://www.busyweather.com/
  4. Re:Just don't read emails from the bank-Digital Fa by The+Amazing+Fish+Boy · · Score: 5, Insightful

    Hello,

    This is an autmated letter from Bank of America. We need you to confirm your information. Please log in here by copying and pasting the link below:

    http://bankofamerica.com|index.cfm|sid=1 00201952820932.slashdot.org/article.pl?sid=05/03/0 8/0052235&tid=95

    Thank you for your time,
    Bank of America.

  5. Re:Passwords should work both ways by cortana · · Score: 3, Insightful

    "Perhaps e-banking would be more secure if the banking site had to show you proof of authenticity"

    The SSL certificate that the bank's site presents to you when you connect is all the proof you need that your traffic is not being intercepted.

    Unfortunatly, today's browsers hide the information about who the certificate was issued to away in a separate screen. IMO the subject of the certificate should be displayed in the status bar, where Firefox currently prints the hostname of the displayed site (needlessly, since that information is already in the address bar!)

    But this isn't perfect. The certificate authorities treat the x509 dname as a unique block of text, rather than making sensible use of all the fields. Thus my bank presents a dname of "CN = www.ebank.hsbc.co.uk,OU = Terms of use at www.verisign.com/rpa (c)00,OU = Terms of use at www.verisign.com/rpa (c)00,O = HSBC Holdings plc,L = Sheffield,ST = South Yorkshire,C = GB".

    IMHO our current CAs have buggered up the job, and deserve a good slapping. Instead of allowing a random company to buy its way into the CA market by paying off Netscape and Microsoft, we should ditch the present model for high-risk uses such as online banking.

    Banks should issue their own (self-signed) certificates. When you open a bank account, you are supplied with the SHA1 and MD5 hashes of the certificate that the bank uses; the first time you visit the bank's web site, your browser throws up the "unidentified certificate" warning. You then eyeball the certificate, note that the hashes match those you have been provided with, and import the certificate into a store for future use.

    The annoying thing is that we could do this *today*, if only people would start giving two shits about their security.

    Maybe after a few thousand people get ripped off by identity thieves, people will start caring.

  6. Re:Just don't read emails from the bank-Digital Fa by bitingduck · · Score: 3, Insightful

    How do you tell bad bits of html from good bits? As long as there are links, it's possible to phish. Some of the phishers use fairly obviously bad urls if you read as plain text, but if you let them display their image and link it's a faked Sunbank link (or somefink).

    The easiest thing is to turn off html, turn off display of inline images, and turn on display of full headers.

    People (and companies) send way too much garbage as html or attachments that would be just fine as text. I got into the habit of using text as much as possible when working on a proposal with a bunch of astronomers who don't use MSOffice except at gunpoint. It works great, especially if you use things like sentences, paragraphs, and punctuation.

  7. Related methods by photon317 · · Score: 4, Insightful


    It would be trivial for the spyware which is rampant on the average user's wintel PC to alter their network settings to point the user at custom DNS servers run by the spyware companies. These could act as dns caching proxies for the most part, but then selectively fail to resolve sites the spyware companies don't want you to see, selectively redirect your queries to the webservers they do want you to see, and in the hands of the nefarious, spoof your bank site too. Until the massive gaping holes in the average user's wintel PC are closed, complex infrastructure exploits are really a waste of time. It's so much easier just to seize their PC and have your way with it.

    --
    11*43+456^2
  8. DNS is the achilles heel by venomkid · · Score: 3, Insightful

    I've said it before...

    DNS is the achilles heel of the web. Take down/redirect/spoof/molest DNS, and it doesn't matter how many redundant whatevers and caching whothingies you have.

    Nobody's getting to you.

    And they may be getting to somebody else.

    But DNS isn't glorious, so we'll keep spending the time/money on other things...

    --
    vk.
  9. No you can get e-mails and not worry by Sycraft-fu · · Score: 3, Insightful

    Just log in as normal. If any company that I do bussiness with apparantly sends me an e-mail, I don't bother to check if it's real or not, I also don't bother to grab the link, not as much for security but out of laziness (I use pine). I just go and log in to their site as normal. If there is something they need, it'll get my attention.

    Thus you don't need to worry about getting phished, but you don't need to exclude a convienent method of communication.

    My bank actually doesn't do e-mail, they call me if they want my attentino, security reasons, however Paypal and eBay are both pretty much e-mail only. Not supprisingly, the phishes I do get are usually for those, not my bank.