DNS POISONING, AKA PHARMING, MAKES THE HEADLINES IN NOVEMBER'S NEWS
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
DNS POISONING, AKA PHARMING, MAKES
THE HEADLINES IN NOVEMBER’S NEWS
December 2011
November saw DNS Poisoning, aka Pharming, making the headlines on more than one
occasion: To name a few, the online threat showcased in the high-profile hijacking of
several Brazilian ISPs’ DNS servers; an incident that resulted in millions of Brazilian users
being infected with a banking Trojan. As well, the FBI arrested half a dozen Estonian-
based cybercriminals last month in connection with a fraudulent DNS-rerouting scheme
that enabled the gang to rake in $14 Million in fraudulent advertising revenue.
In view of November’s DNS-related incidents, this month’s highlight sheds light on the
Domain Name System (“DNS”), including:
–– What the DNS system Is
–– How it works
–– Potential threats as exemplified in recent cases
–– Prevention and mitigation measures
WHAT IS THE DOMAIN NAME SYSTEM?
The Domain Name System (“DNS”) is a system designed to facilitate locating an internet
resource, and can be likened to a phone directory, which ‘resolves’ people’s names to their
respective phone numbers. In much the same way, DNS servers resolve web domains (such
as http://website.com) to their correct IP addresses (for example, 12.123.3.1).
HOW DOES IT WORK?
The Domain Name System is a distributed, hierarchical system that issues queries from
a user’s computer to other domain name servers until the IP address of the requested
resource is located. When an online user enters a domain name in a browser’s address
bar, for example, http://website.com, the query undergoes the following flow of events:
FRAUD REPORT1. The OS queries a local file called Hosts, also known as the Hosts File. (In Windows
systems, the file is located here: [LocalDisk]/Windows/system32/drivers/etc.) The
Hosts file maps domains, aka “hosts,” to their IP address. (This is relevant to some
operating systems, in which a query is first issued to the local Hosts file, before it is
issued to external resources.)
2. If the IP address of the host is not defined in the Hosts file, the OS queries the user’s
local DNS cache. (You can view your local DNS cache by running the command
ipconfig /displaydns.)
3. If the appropriate IP address is not located in the user’s local DNS cache, the OS
issues a query to the ISP’s DNS servers (or the user’s organization’s DNS servers).
4. The ISP checks the cache of its own DNS servers, and if the resource for the host is
not cached, it then issues a query to the root name servers to find the DNS server
responsible for the relevant top level domain (TLD). For example, a query for the
domain http://website.com would be forwarded to the .com root name server (which
is the authoritative DNS server for .com domains).
5. The TLD server locates the authoritative name server for http://website.com, which
would normally be configured as ns1.website.com.
6. The authoritative name server, ns1.website.com, locates the IP address for
http://website.com, and resolves the query.
7. The OS queries the IP address of http://website.com, and retrieves its content
(the actual website).
POTENTIAL THREATS AS EXEMPLIFIED IN RECENT CASES
Potential threats to the integrity of the DNS query chain include classic pharming, DNS
Cache Poisoning, Rogue DNS servers, and local pharming. These threats are explained
below, along with relevant cases that made the headlines in November.
Classic Pharming
Classic pharming consists of the deliberate manipulation of DNS records with the
objective of providing an incorrect IP address for a given domain query. For example,
instead of resolving https://ABC-bank.com to 1.23.123.1, a poisoned DNS record would
return an incorrect IP address such as 3.21.31.2. The false IP address returned to an
online user could harbor a wide range of fraudulent content, including anything from a
phishing attack that mimics the genuine website to a Trojan infection point containing a
drive-by-download.
DNS Cache Poisoning
Earlier last month, cybercriminals reportedly hacked the cache of DNS servers belonging
to several major ISPs in Brazil, changing the ISP’s DNS cache records for high-traffic
websites, such as Google Brazil, YouTube, Gmail, Hotmail and several large Brazilian
Internet portals like Uol, Terra or Globo.
A DNS server’s cache functions as a storage area for responses received in previous DNS
queries. DNS caches are employed with the objective of resolving DNS queries faster;
improving users’ browsing experience by saving the time it takes to meander a query
through all the relevant DNS servers until the appropriate IP address is returned.
When trying to access the high-profile websites mentioned above from one of the
affected ISPs, users were redirected to a website that forced them to download a banker
Trojan (possibly one of the numerous variants of the Brazilian Baker Trojan), which
masqueraded as a small, innocuous Java applet (a small Java application).
Given that Brazil has over 70 million internet users, and that each ISP in the country
serves at least 3 million subscribers, targeted financial institutions were likely heavily
page 2impacted by the DNS cache poisoning attack. The confidentiality of millions of online
banking accounts was jeopardized as Banker Trojans easily collect usernames and
passwords (either via keylogging, or the logging of all HTTP and HTTPS communications).
The breach of the DNS servers’ cache may have resulted from inherent software
vulnerabilities or from the criminal actions of a server administrator, who may have
exploited his/her access to these servers to manipulate the servers’ cached responses.
Such was the case that made headlines in early November, when an employee of a
Brazilian ISP was arrested by the Brazilian Federal Police for continuously manipulating
the ISP’s DNS cache results over a 10-month period. The DNS cache poisoning in this
incident resulted in the redirection of the ISP’s subscribers to phishing attacks.
Rogue DNS Servers
Also in early November, the FBI announced that a fraud scheme involving the manipulation
of users’ DNS settings resulted in a cybercrime gang’s raking in $14 million in revenue,
which the gang generated by earning commissions on clicks made by users on ads for which
they acted as publishers. To get users to click on ads for which the cybercriminals would be
paid commission, the gang rerouted search engine results to websites that featured
revenue-generating ads (for which they acted as publishers). Plus, the crime ring replaced
legitimate online ads with different ads for which they could once again earn commission.
To accomplish their fraudulent feats, the gang manipulated users’ DNS settings by
launching an infection campaign that compromised machines with a piece of malware
called DNSChanger. The malware effected a change on users’ local DNS settings,
rerouting their machines’ DNS queries to rogue DNS servers under the gang’s control.
This means that instead of querying their ISP’s legitimate DNS servers, victims who
downloaded DNSChanger constantly queried the gang’s rogue DNS server, which served
bogus search engine results and fraudulently-replaced ads on legitimate websites.
Rerouting hyperlinks that came up on search engine results enabled the gang to generate
revenue by leading them to a different webpage than the one indicated by the hyperlink,
which contained advertisements purportedly related to a product they sought.
Subsequent clicks by users on those ads generated commissions for the gang. This
scheme is known as Click Hijacking or “click-jacking.”
Another revenue-generating scheme deployed by the gang involved advertising
replacement fraud. As stated by the FBI, “Using the DNS Changer malware and rogue
DNS servers, the defendants also replaced legitimate advertisements on websites with
substituted advertisements that triggered payments…” to the gang.
Local Pharming
While not directly involving DNS servers, local pharming comprises another form of
IP-resolution fraud. In some operating systems, hosts files are given priority over
resolution by DNS systems. In such systems, if a given host (web domain) is located in
the hosts file, no DNS query is performed to resolve its IP address, but rather the IP
specified in the hosts file is used.
Consequently, by changing the IP address associated with the host name (domain) of an
entity, Local Pharming Trojans redirect victims to various fraudulent webpages, which may
in turn serve malicious content ranging from phishing attacks to Trojan infection points
and click-jacking schemes. Local pharming is especially popular among variants of the
Brazilian Banker Trojan.
PREVENTION AND MITIGATION MEASURES
How can pharming be prevented? A set of specifications, issued as part of a larger
industry-wide effort, called the Domain Name System Security Extensions (DNSSEC),
consists of specifications that enable authentication of DNS responses, in an effort to
improve the reliability of DNS responses and thwart DNS-poisoning efforts. The central
idea behind DNSSEC is to enable DNS query responses to be authenticated using a
page 3digital signature. A digitally signed DNS query enables a user to verify whether the
information received in response to a DNS query matches the information served by the
authoritative DNS server for that domain, ensuring that the DNS response is correct and
complete.
How can a pharming attack be mitigated once launched? An outsourced solution, such as
the RSA FraudAction Anti-Pharming Service, is designed to handle DNS poisoning attacks
from the detection phase to the threat’s complete shutdown. To detect pharming on a
particular entity’s website, RSA deploys dedicated servers that actively monitor the
Internet in search for poisoned DNS servers.
As illustrated below (and mentioned above), pharming, including local pharming, may
be launched from four different points in the DNS query chain:
–– The user’s Hosts File (local pharming)
–– The ISP’s DNS server
–– The Root Name Server
–– The Authoritative Name Server
As large scale attacks may be launched from the latter three points (ISPs’ DNS Server, the
Root Name Server, and a domain’s Authoritative Name Server), that is where mitigation
solutions focus their monitoring and detection efforts.
The FraudAction Anti-Pharming Service is focused on points 2, 3 and 4 (excluding the user’s
own PC), focusing on where the majority of large scale attacks can take place
(see figure below).
RSA FraudAction Anti-Pharming
Real-time Scanning
1-4 represent the DNS hierarchy
1
2 3 4
User PC host file ISP DNS Root DNS server Bank/authoritative Bank’s
DNS bypass DNS server web server
(As a side note, local pharming attacks, which are the product of Local Pharming Trojans,
are detected, monitored, blocked and shut down using a different methodology. The
RSA FraudAction Anti-Trojan Service detects and handles Local Pharming Trojans on a
regular basis.)
To detect pharming on a given set of domain names, the website domains of a specific
organization for example, a system is set up to continuously query the above points of
the DNS query chain. The system verifies the validity of the name server and IP-address
responses to DNS queries on an organization’s domains. In addition, the system scans
select ISP DNS servers to ensure that their cached data has not been poisoned at any
point in time.
If an attack is detected and confirmed, the spoofed website is taken down, and the owner of
the poisoned DNS server is contacted to enable the immediate removal of the manipulated
DNS information. The key to fighting DNS poisoning is limiting the window of opportunity
that a pharming attack has to serve malicious content (be it phishing attacks, Trojan attacks,
or click-jacking) to a potential victim. Real-time detection of a pharming attack that is already
in progress, combined with the means and capabilities to immediately remediate, can
significantly curtail the debilitating impact such an attack may have.
page 438970
40000
35000
Phishing Attacks per Month
28365
30000
Source: RSA Anti-Fraud Command Center
26907
In November, phishing volume increased 25191
24019
18 percent – with 28,365 unique attacks 25000 23097 22516
detected by RSA. Compared to the same
20000 18079 17586 17376
time last year (November 2010 vs. 17579 17579 16355
November 2011), phishing volume has 15000
increased 69 percent.
10000
5000
0
Nov 10
Dec 10
Jan 11
Feb 11
Mar 11
Apr 11
May 11
Jun 11
Jul 11
Aug 11
Sept 11
Oct 11
Nov 11
400 376
349 351
342
Number of Brands Attacked 350 321 313
301 300 298
Last month, 313 brands were targeted 300
Source: RSA Anti-Fraud Command Center
268
within phishing attacks, marking a five 257
250 236
percent increase. Fifty-five percent of the
200
brands targeted last month endured less 200
than five attacks each. This figure is
slightly higher than the 51 percent 150
recorded in October. It appears that an 100
increasing number of brands are enduring
less than five attacks per month as 50
phishers look to expand the list of brands 0
added to their target list.
Nov 10
Dec 10
Jan 11
Feb 11
Mar 11
Apr 11
May 11
Jun 11
Jul 11
Aug 11
Sept 11
Oct 11
Nov 11
page 5100
10% 8% 11% 9% 11% 15% 12% 11% 10% 19% 6% 14% 9%
US Bank Types Attacked 80 19% 18% 15% 15% 18% 22% 12% 20% 23% 20% 25% 12% 16%
Source: RSA Anti-Fraud Command Center
The portion of brands targeted in the U.S.
credit union sector decreased five percent, 60
while brands targeted with phishing in the
regional US banking sector saw a four
40
percent increase. In addition, the portion of
phishing attacks against nationwide U.S.
banks increased two percent. 20
71% 74% 74% 76% 71% 63% 76% 69% 67% 61% 69% 74% 75%
0
Nov 10
Dec 10
Jan 11
Feb 11
Mar 11
Apr 11
May 11
Jun 11
Jul 11
Aug 11
Sept 11
Oct 11
Nov 11
Netherlands 1%
Australia 1%
a Australia South Korea Canada China Colombia 1%
Germany UK France Nethe
India 2%
Top Countries by Attack Volume
In September 2011, the UK overtook the Brazil 3%
37 Other Countries 3%
U.S.’s ostensibly perpetual position as the
country that endured the highest volumes Canada 6%
United Kingdom 51%
of phishing attacks each month. In
November, the UK remains the country that
South Africa 8%
has suffered the highest volume of
phishing attacks with 51 percent of attacks
launched against entities in the UK.
The U.S. endured the second highest
volume -23 percent - less than half of the
attacks experienced by the UK, followed by
South Africa (8 percent) and Canada (6
percent). U.S. 23%
page 6South Africa 2%
Italy 2%
a US S Africa China 2%
China Italy Colombia 2%
Canada Netherlands India Bras
Germany 2%
Spain 3%
Top Countries by Attacked Brands
France 3%
Through November, a total of 20 countries U.S. 32%
endured one percent or more of the India 4%
world’s phishing attacks. Together, the
Canada 4%
U.S. and UK accounted for 43 percent of
the world’s targeted brands, while the
Australia 4%
brands of eleven additional countries
accounted for a total of 35 percent of
phishing attacks in November. Brazil 7%
United Kingdom 11%
33 Other Countries 21%
France 2%
USA Australia South Korea
Canada
Canada
2% China Germany UK France Net
Poland 2% Netherlands 2%
Brazil 2%
Australia 3%
Top Hosting Countries
Russia 4%
In November, the US hosted 61 percent
of the world’s phishing attacks, a seven Germany 4%
percent increase from October. Nine of the U.S. 61%
top ten hosting countries in November United Kingdom 5%
retained their status from October with
Poland replacing the Ukraine on that chart.
65 Other Countries 14%
page 7CONTACT US
To learn more about how RSA
products, services, and solutions help
solve your business and IT challenges
contact your local representative or
authorized reseller – or visit us at
www.RSA.com
©2011 EMC Corporation. EMC, RSA, the RSA logo, and FraudAction are trademarks or registered trademarks of EMC
Corporation in the U.S. and/or other countries. All other trademarks mentioned are the property of their respective
www.rsa.com holders. DEC RPT 1211You can also read
