Phishers Build Deceptive Links with DNS Wildcards

1sockchuck writes "In the continuing evolution of the phisher, the latest scams are crafting deceptive email links that include a bank's URL, but send victims to a phishing spoof site. The phishers are combining wildcard DNS, URL encoding and redirection services to construct the URLs. Netcraft has examples of emails that presented barclays.co.uk in the URL but sent clicks to a spoofed page at a server in Moscow. A DNS cache poisoning attack over the weekend also highlights the potential use of DNS tricks in 'pharming' (phishing using redirection rather than bait emails)."

Just don't read emails from the bank

[The+Amazing+Fish+Boy]

Tell the bank that you won't be reading any emails from them, and that they'd better send you snail mail or phone you. If they say that won't be possible, just go elsewhere and let (a) the first bank know why you won't bank with them, and (b) the second bank know why you are banking with them. Provide this information in letter format.

Re:Just don't read emails from the bank

[jagapen]

I get notification email messages from my credit union monthly. When I signed up for the account, I had to enter a 'security phrase', and every email they send includes that phrase. If it doesn't have the phrase, it's phish.
Simple. Effective. Can be defeated, but it would take orders of magnitude more effort.

Re:Just don't read emails from the bank

[Billly+Gates]

If the url is identicall how would a normal person know they are being phished?

They are not stupid at all. DNS wildcards are a bitch and many banks use long obfuscated urls because they are applet based websites.

Remember when...

Just a little while ago Network Solutions thought it would be cool to redirect all nonexistent domains to a valid host in the form of website?

Remember when ICANN even thought of listening to Network Solutions?

Hope you do. Mental Bookmark.

The problem with simple rules to avoid Phisers

[soft_guy]

is that they aren't so simple. They are also not logical common sense rules either. The phishing site might look exactly like your real site. Plus, the url might look right if the Phisher used a trojan to install a hosts file on your box.

If this isn't solved definitively, it could destroy e-commerce.

Re:The problem with simple rules to avoid Phisers

[jon_c]

I Agree. However I don't think there will ever be a good solution with trying to secure the internet side of the equation, there are just so many tricks one can do with users and their perception of what is ok, until you make it user proof there is now real security.

I believe that the real solution to this is to make YOUR MONEY more secure, the weak link IMO is that credit cards fraud and identity theft are far to easy to get away with. Lets put in place a secure money system that does not rely on the security of the medium and we'll have a real solution.

-Jon

Re:That's it

[Matey-O]

You're moderated as funny, but it'smore sad really. The Arpanet was created for open interchange of information, and the Internet won't be complete until all the loopholes that open interchange creates are sealed off.

How long til your ARP packet includes a public key proving you are who you say you are?

Passwords should work both ways

[kebes]

I've often thought it was weird that the credit card company would call me, and ask all kinds of questions to make sure I'm really me, before they would tell me/ask me something (like make sure that it was really me who made a big purchase or whatever).

I usually ask them to give me some info from my file to prove that they actually are the credit card company they appear to be, or I call them back using the number in the official documentation.

I think passwords/authentication have to work in both directions. Perhaps e-banking would be more secure if the banking site had to show you proof of authenticity (for example, you ask the system a question about your file, and see if it responds correctly). In practice, this might involve some additional headaches, but I think it could work.

Perhaps the simplest scheme is that you enter your login info, but if you then complete a transaction without getting back the "correct" authentication answer, you call your bank immediately... they block the transaction, you change your password, and it is flagged immediately as a scam.

Thoughts?

Re:Passwords should work both ways

[Dionysus]

In Norway, online banking has two password associated with the account. One permanent, and one one-time password. Both must be correct to get access to the account. So, even if a phisher got both password, the one-time password wouldn't be useful after that session anyways.

Don't know why the US online banks don't have a similar system.

Re:Passwords should work both ways

[green1]

some banks are even worse than that... I found one bank that protects your account with a single password that must be less than 6 digits long and purely numeric. I find this ridiculously insecure to the point of bordering on criminal. to make things even funnier, the bank's newsletter a couple months back had a section in it dealing with how to pick a secure password for online use, only problem is that their own system will not LET you follow any of the rules in their article! I sent them an email asking about it and got no reply...

Re:Passwords should work both ways

[puhuri]

Because U.S. consumers are driven largely by convenience

And still they use checks... I have not used those for 17 years, used debit/credit cards or online banking since then.

My back has single use 4-digit code that are sent in bactches of 80 codes. You use your user id (that was not sent you by mail, you got it personaly from bank) and that single-use number to log in system. That was in 1980s when you used modem to connect online bank. When internet banking started, they add another security measure, 4-digit confirmation number that is a random one out of 26 (a-z) that system asks when you have done some transactions. The confirmation numbers change also when you get new set of sign-on numbers.

If the phihser manages to get the single-use number, he shoud do active man-in-middle to get the right confirmation number.

There is also a closed messaging system, that you can use to communicate with your bank representative.

Re:Passwords should work both ways

[emil.ede]

In sweden we have similar systems too. The one my bank uses is you get a number that is valid for 5 minutes when you attempt to login. You type that number into a little piece of hardware, press enter and you get a new number that you type into the web browser. You have to do repeat the same thing everytime you want to make a transcation too. Seems pretty safe...

Do you just need a regular password to login and make transactions on american banks? That sounds really weird in that case.

FireFence extension idea

[me+at+werk]

This extension for firefox (FireFence, you know, what you put around a pharm...) would keep track of https (and, have the option to do http) ips. It would keep a log of the ips of ALL your https sites, to see if they're in the same range. For example, google:

[20:17] * Dns resolving www.google.com
-
Found 2 addresses
dns: www.google.com nick: addr: www.google.com ip: 64.233.187.99
dns: www.google.com nick: addr: www.google.com ip: 64.233.187.104
-
[20:17] * Dns resolved www.google.com to 64.233.187.104

For this, it'd see they were in a similar range and not be too worried. If it suddenly noticed google was going to 192.168.1.100 (meh) then it would throw up alarms, "This site has a radically different address". Of course, that would be the defaults, there would be options to have it alert you for all ip changes and show you the list of past ips, optionally look it up on arin/ripe/apnic and see who owns the ip, all sortsa stuff.

Preferably it'd come with a list of known good sites, for paypal and a few banks or whatever.

I think a firefence would work a lot nicer than just the spoofstick, but I know NOTHING about coding one, just about what I'd want it to do.

Re:Spoofstick

[me+at+werk]

Why get spoofstick for IE? The Netcraft Toolbar (used in TFA) shows the country that the server is located in even! That's much nicer.

Paypal got it right

[jdreed1024]

The site is down, so I can't check it, but I would imagine that the pop up window is made so that the Address bar is not showing and people can't easily see that it is a bad URL.

Paypal got this right. When the Phishers started going after them in earnest, they sent a bunch of e-mails to registered users saying "Paypal will never ask you to click on a link in e-mail". And all their e-mails about transactions or special offers say "If you would like to do this, enter www.paypal.com in your browser, and then click on tab $foo and then link $bar". It's a bit more effort for the consumer, but it eliminates the "Is this a real or fake e-mail" problem - if it contains any hyperlink at all, it's fake.

My credit card does the same thing. I get automated notifications that say "Your new statement is available online. To access it, go to www..com, and click on "My Statement".

Re:Paypal got it right

[Monoman]

Damn filter edited out part of my message cuz I used instead of []

What I am waiting for is for these own3d PCs to get their hosts file edited to bypass what you are talkig about.

www.paypal.com [evil ip address]
www.bankone.com [evil ip address]
www.wamu.com [evil ip address]

and so on. The owned PCs are a much smaller population but I won't be suprised if the spammers/phishers resort to this tactic. Once they have access to your PC they can just keep corrupting your hosts file with "

and I got a WAMU phisher right after I submitted the original post. Now I am going to make my hosts file RO.updates".

Links

[ScrewMaster]

My solution to this problem (since I have a girlfriend that likes to click anything interesting) was to have my mail server redirect all links embedded in incoming messages to a local page that says "don't do that." I also strip all attachments, executable or otherwise, and stick them in a protected folder on the server. That way no-one can click on a link, or accidentally execute an attachment.

My Anti-Phisher Scripts (attached)

[cjsnell]

I became fed up with this crap invading my inbox, so I decided to take some action. Most phishing scams are run by novices and use pre-packaged PHP pages which dump the collected info into a file or e-mail it out to an address for collection. The solution to this is simple: generate a ton of bogus information and submit it to their form processing script.

To do this, I use Acme Software's http_load. http_load takes, on its commandline, a filename containing a list of URLs to request. It then proceeds to send GET requests just as fast as the server can handle them. The trick is to use my Perl script to generate the http_load "loadfile".

First, my script. This could definitely be improved so that it fashions names and street addresses from dictionary words. For now, I just use random junk. To make this script work, you need to look at the phishing scam's HTML source. Find all INPUT tags. Any TYPE=HIDDEN name/value pairs must go in the url_base definition, since the server expects these to be static. The rest (all of the form fields) should go in the @inputs array.

#!/usr/bin/perl

## antiphisher.pl
## (c) 2005 Chris Snell
## c-j-s-n-e-l-l_A-T_-_g-m-a-i-l_D-O-T_C-O-M
## You better be damned careful because this
## script can get you in an arseload of trouble!

# You'll need to install the String::Random module
use String::Random;

# How many URLs are we going to generate? I
# suggest using about 80 or so, to keep
# http_load from being overwhelmed. We will
# run these URLs for a few minutes and then
# generate a fresh batch
my $COUNT = 80;

my $rand = new String::Random;

# this array contains all INPUT tags whose values
# are user-supplied (ie. input fields)
my @inputs = qw { firstname MI lastname card_number card_cvv card_pin username password };

my %rand_input;
my $i = $COUNT;

while ($i-- > 0) {

# iterate through the list of inputs
foreach my $an_input (@inputs) {

# generate an 8-digit random value
# for each, and store it in the rand_input
# hash
$rand_input{$an_input} = $rand->randpattern("........");

# The input will likely contain
# non-alphanumeric characters, so we get
# rid of those. This has the nice side
# effect of giving us inputs of
# radomly-varying lengths
$rand_input{$an_input} =~ s/[^a-zA-Z0-9]//g;
}

# This is where you specify the URL of the
# script that will process the form
# submission.
# Note that I have defined a few static inputs
# here, which were derived from TYPE=HIDDEN
# INPUT tags in the phisher's form. You might
# want to change the values to make sure that
# the phisher is not able to associate your
# e-mail address with your attack.
my $url_base = 'http://logon.personal.wamu4u.com:280/login/script .php?hdnVal=1&h
dnSi=37503603&txtUserID&pwdPasswo rd';

# construct the final URL from our base and
# our random inputs
foreach my $param (keys %rand_input) {
$url_base .= '&' . $param . '=' . $rand_input{$param};
}

# Print the URL to stdout
print "$url_base\n";

}

################## END OF antiphisher.pl #######

Now you'll need to run http_load with a fresh batch of URLs every minute or so:

#!/bin/sh

while true; do
./antiphisher.pl > urls.txt
http_load -parallel 30 -seconds 60 urls.txt
done

I have another script that uses LWP::UserAgent to make the requests, which I wrote when a crafty phisher rejected submissions where HTTP_REFERER was not his phorm.

E-mail me with questions c-j-s-n-e-l-l_A-T_-_g-m-a-i-l_D-O-T_C-O-M

Chris

Re:Its very simple...

[bsharitt]

I wonder how that affects https connection. Even if they steal the DNS, they shouldn't be able to get their certificate.

Just don't [Go outside]

"As far as I'm concerned, if you don't take the necessary measures to protect yourself, you deserve whatever you get."

And hence the AIDS Epidemic, and terrorists attacks are exlained.

Re:Flash-forward.

[Felinoid]

Going from 32 bits to 64 bits is a direct upgrade.
Going from Text to HTML is switching technologys.

If you rename a text file from hello.txt to hello.html and pull it up in your web browser you will lose all the formating as HTML expects you to do formating with HTML commands.

32 bits to 64 bits just means your computer can hold more information in one registar.

Also there is nothing stopping a kernel hacker from modifying Linux to store the time/date in two 32 bit regestars instead of one.

Text to HTML is like the diffrence between walking and riding a bike. To edit HTML you still need text. So if an issue were to crop up with Text (like the 32 bit time bug) not only could we not switch to HTML to fix it HTML would be screwed as well.

HTML is a good technology that (IMAO) has been been pushed too far too fast.
But it's not a replacement to text only a better choice when text won't do the job.

Kind of like how a desktop PC dosen't replace a pocket calculator.

And on that note I've been writing my documents mostly in HTML for 10 years now and using a PDA for the last 3.
And I still have a solar powered calculator and get all my e-mail in text.

First time

[Cliff.Braun]

Oddly enough, I just recievedd my first phishing attempt recently. It might have worked, but for two things. The page looked totally legit, right down to the avoid online fraud bit. The things that made me think it was a phishing attempt were the fact that I don't have a Washington Mutual account, so they wouldnt send me an email, and the fact that it went to 211.121.x.x, rather than the URL. I recently got online checking with my new bank, but I wont ever click a link to get there.

Re:Help on the horizon for Windows users!

[oirtemed]

Actually, this is an issue. My library, at a major university, had a document that you used to "evaluate" web sources. They used the TLD as a determining factor of value, listing .org as a non-profit organization, as well as labeling other tlds (ie: .com commercial). I explained to my class that restrictions on domain names are not there, and a TLD is meaningless, aside from .edu/gov/mil etc. My professor emailed them my corrections, though I do not know if they incorporated them yet.

Just had a seriously troubling thought....

[pg110404]

Suppose through spyware/malware/trojans/virus/whatever, a virus writer were to scan your web browser history, find out what bank in particular you visit, then simply modify the local HOSTS file buried under the system32 directory to point to a specific IP address.

They could then design a login page that doesn't even have to be encrypted (I'm sure most people wouldn't bother to notice) which mimics the real bank's login page. They give one or two "failed" login attempts before redirecting the browser to the real site.

Instead of hijacking dns in some weird way, it simply instructs the local computer to resolve certain DNS entries to something defined locally. After the user thinks they got their password wrong, the phisher's web server redirects the user to the real bank's login page.

This would be something that is entirely possible (virus spread by active x, email, whatnot) and monitors the web browser history for recent activity for a list of known banks, and once that user does their online banking, spoofs the local machine to go elsewhere for subsequent banking. The user doesn't know what happened, and in the meantime types in their banking information that would reveal bank accounts, etc.

Once successfully mined, the bad guys might send an 'abort' sequence to remove all evidence of what happened and move on to the next guy, thus making it hard to track what really happened. Since that entry would be removed from the HOSTS file when that happens, most people would assume they got a string of bad luck for a few login attempts and all seems to be well again (only it's not, since that personal information is now made not quite so personal anymore).

Just suppose this virus created keeps a low enough profile for long enough, even having a firewall antispyware and virus scanner might not help you out.And DNS wildcards are totally sidestepped.

Call me sick and sadistic, but......

[pg110404]

I think spammers/phishers deseerve a special place in hell. I got an email supposedly from first ebay then a different one from paypal and yet another from washington mutual bank(?) concerning my account information. Since I've never set up an account with any of these, I knew instantly it was a phishing scam.

Not only that but when I hover the mouse on the link, it shows the target URL at the bottom and resolved to a fixed IP address (e.g. http://219.44.99.123/ as an example. I just made this address up) rather than point to their respective DNS names.

So (this is the sick and sadistic part comes in), I figured I'd fill out their forms with my "personal" information which is entirely made up. Everything on the form was invented. The name, the address, everything, including the credit card number. After doing that, I sent a copy to abuse@ebay.com, etc.

On one occasion, I got a response email stating there was a problem with my credit card information and I needed to reenter it.

The probem here was that I use the first 4 legitimate digits for visa, but the other 12 digits were entirely fictional and the checksum digit did not match.

I've been toying with the idea of using a credit card number generator and getting past that specific problem, but what if the number that the cc generator picks happens to be a legitimate credit card number and some poor shmuck gets charged? I'm not quite that sadistic.

I wonder if my bank would be gracious enough to issue me a defunct credit card that I could use specifically for this purpose. Failing that, what we need is a list of banned credit card numbers, so when these scammers try to use them, there's a trail that leads the authorities right to their door to haul them away and give them what they deserve.

The way I see it, they took the time to write me for my information which they'd use to screw me, and the least I should do is to return the favor and give them just enough to make them think they got away with it but in fact they expose themselves to getting caught.

Re:Just don't read emails from the bank-Digital Fa

[jabberwocky_rt]

I can 1 up that:

http://bankofamerica.com|index.cfm|sid=1%2000201 95 2820932.%73%6c%61%73%68%64%6f%74%2e%6f%72%67/%61%7 2%74%69%63%6C%65.pl?sid=05/03/0%208/0052235&tid=95