Threat Intelligence Blog

Posted January 22, 2009

Recently, there have been several high-profile incidents involving a novel combination of techniques to hijack the legitimate domains of banks and other financial institutions. This new, blended attack is a hybrid we like to call “Phish-Pharming”, where a PhishingPhishing: The fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers. attack is used to gather the information that in turn enables an even more dangerous Pharming attack.

Background
Phish-Pharming combines two well established types of scams. In traditional a Phishing attack, a fake Web site tricks consumers into entering passwords, ATM card numbers and PINs or other sensitive information into a fake Web site meant to look like the legitimate site being spoofed.

Pharming is more sophisticated. In a Pharming attack, users’ computers are directed to a fake Web site even though the user enters the correct address of the real site in their browser. What makes Pharming so challenging is that this can be accomplished at many stages in the DNS resolution chain. For example, one common method involves infecting a PC with malwareMalware: Software that is intended to damage or disable computers and computer systems. that modifies how that machine behaves, e.g. it changes the local “Hosts” file on the PC or redirects DNS queries to a fraudulent DNS resolver out on the Internet.

Another way to impact an individual user or household is to attack unsecured wireless routers used in many homes. (Apartment dwellers in large complexes can sometimes access dozens of unsecured Internet connections, leaving their neighbors open to malicious attack.) In yet another more challenging, but more broadly damaging variant, the machines that resolve DNS lookups for a large group such as the customer base of a local ISP, are hacked from the outside, and modified to direct all requests for a given domain name to a bogus Web site.

The ultimate extension of this line of thinking would be a method that maliciously re-directs all visitors to the bogus site, not just a few affected by a localized hack. And that is exactly what Phish-Pharming seeks to do.

How it works
The best way to hijack all the traffic to a legitimate site would be to re-delegate the domain name (that is, re-setting the IP address to which it resolves) to a fraudulent destination at the authoritative home of that instruction. The “official” entry for the IP address(es) to which a name should resolve is dictated by the domain owner when they set up and manage their site via their hosting provider or registrar.

If the domain owner/manager’s administrative login is stolen, the criminal can re-assign the resolution for the domain to a fraudulent IP address. When the change propagates across the ‘Net, nearly all requests for that domain name will take users to the bogus Web site.

Phish-Pharming uses a classic Phishing approach of “bogus email + spoof site” to entice the domain administrator to log in to a fake domain-management or registrar Web site, giving the criminals administrative access to that user’s entire domain portfolio. Instead of trying to trick users to “update their bank information” (a ploy now widely and correctly greeted with suspicion), an email might say be sent to company employees saying “your registration for www.somename.com is about to expire. Please login to renew now.” Since registration dates, contacts and other domain-related information are publicly available, details of the email can be tailored literally down to a single individual (a practice known as “Spear Phishing”), which makes the message that much more convincing.

If an administrator falls for the same, the criminal can immediately log into the legitimate domain “control panel” for the domains in that account.Once logged in as the administrator, a criminal targeting a large enterprise could re-delegate entire portfolios of domain names, attempt to transfer ownership of unused domains (where administrators might not notice they are gone), change passwords to lock out the legitimate owners, and create many other kinds of mischief.

“What can our enterprise do to protect the company and its customers?
Like all “social engineering” attacks, Pharming depends on the fact that people are often the weakest link in the security chain. Awareness is the single best weapon. Make certain that all domain-name administrators (brand owners, IP and legal staff, anyone with access to domain delegation instructions) is educated about the possibility and the reality (i.e. known cases – this actual does happen) of “being Phished to be Pharmed.”

Any message regarding domain ownership, expiration dates or other messages “from” your service provider should be examined with the same critical eye as emails claiming to come from a bank, eBay or PayPal. Check the URL to which the link actually resolves, or better yet, type the address in manually. Call your registrar or vendor rather than relying on email and links if you have questions or concerns about your domains.

Second, consider a monitoring service or other method that helps proactively check DNS resolution for your domains at different levels of the resolution chain. Like all Phishing and similar types of attacks, the impact of the attack is best mitigated by minimizing the time it takes to detect and take down or control the site in question. A proactive rather than reactive approach to detecting these attacks could save potentially critical (and expensive) minutes or even hours.

Finally, the financial industry has gone to extraordinary lengths to complicate, strengthen and validate the customer login process. To date, some registrars and hosting providers have not yet done the same, yet if your domain is hijacked at the source, all the authentication, validation and security investments are for naught. If you have any concerns about the level of authentication or security from your provider, ask them what they are doing to help raise awareness of spoof registrar messages, to stop login-stealing scams or to strengthen the protections they offer to your enterprise as a customer.

Additional Posts

Do browser features from Microsoft, Google, Mozilla, and Apple provide adequate protection against phishing attacks?

To better understand the daily risks consumers face from phishing attacks, Cyveillance test sampled ...

Deadline approaching for comments on the new ICANN gTLD proposed Application Guidebook

There are only a few days left to make a difference regarding the future of online corporate ...