Pharming Attacks Through DNS Cache Poisoning

A month ago, a detailed assessment of a recently released vulnerability in BIND9 was conducted by Amit Klein to highlight the wide impact typical nameserver vulnerabilities have in general, and this one in particular. Now that an exploit is available as well, the possibility for large scale pharming attacks in an automated fashion, becomes fully realistic :

"A program has appeared on the Milw0rm exploit portal which is able to exploit the recently reported vulnerability in the BIND9 nameserver. Transaction IDs can be predicted or guessed relatively easily, so the cache of a vulnerable nameserver can be poisoned. Phishers can use cache poisoning for pharming attacks on users by manipulating the assignment of a server name to an IP address. Even if the user enters the name of his bank in the address line of his browser manually, he will still be taken to a counterfeit web page."

Pharming, like any other threat usually receives a cyclical media attention, either prompted by a massive discovered attack, or to build awareness on an advanced phishing scheme to come in a typical "focus on current instead on emerging trends" mindset. How would access to a namerserver be obtained if not by hacking into it? The never-ending underground economy's supply of goods model indicates that certain goods such as access to breached FTP, Web and DNS servers change value over time through the release of such exploits. So suddenly, an access to a namerserver gets a higher valuation than usual.

I've been using a handy Firefox add-on to keep track of the constantly changing IPs of various cyber jihadist forums and web sites for quite some time now. The tool is actually pitching itself as an anti-pharming add-on you ought to evaluate for yourself :

"SCM performs Site Continuity Management validations on websites to help prevent Pharming attacks. Pharming attacks are an advanced form of Phishing where an adversary poisons the data held in the user’s DNS server. SCM is believed to be the first add-on to protect users from this advanced attack."

DIY Phishing Kits

Rock Phish's efficiency-centered approach in terms of hosting numerous phishing pages on a single domain, often infected home user's host, easily turned it into the default application for DIY phishing attacks. And despite that we still haven't seen a multi-feature phishing kits like the ones I'm certain will emerge anytime now, here's an automatic URL redirector of data submitted to a phishing site that's showcasing the ongoing DIY phishing kits trend. Basically, once the source code of a, for instance, fake paypal login page is pasted, it will ensure all the submitted accounting data is forwarded to the malicious server where it gets logged. The main aim of this tool isn't to achieve mass scale efficiency as is the case with Rock Phish, but to make it easier for phishers to poin'n'click create or update the fake pages to be hosted on a Rock Phish domain. The program's intro :

"Steps to creating a fake login, simple as 1,2,3. Go you your web site or the site you have permisson to make a fake web login and right click then press "Source". Double click here to begin. Enter the redirection URL. The redirection URL is the site in which the user who enters their login details will be forwarded to after they fill out the form. Optional : For some web sites after you creat the phisher some images will not load properly. This is due to the source directing the images to be loaded from your database instead of their database. For example you will probably find this in your source img src="/images/image.gif". To fix this you would have to direct the source to load from the site's database by editing the source to look a little like this img src="http://site.com/images/image.gif". To automatically do this double click here."

Why are DIY phishing kits turning into a commodity, and what are some of the strategies to deal with phishing sites?

- fake pages for each and every financial institution plus the associated images are a commodity. They look like the real ones, sound like the real ones, but anything submitted within gets forwarded to a third party presumably using DIY tools like these

- phishing should be treated as spam, namely it should never reach the end user's mailbox, but as we've already seen in the past, certain financial institutions are trying to rebuild confidence in the email communication with their customers whereas they should build more awareness on how they'd never ever initiate such communication as it will create even more confusion for the customer, the one who's still not aware of the basic phishing techniques

- HTTP referer logs to static images via email clients or web based emails could act as an early warning system and provide a list of URLs to be automatically feeded into a to-be shut down tracking system, ones we've seen getting commercialized by vendors already

- Phishing has become such a widespread problem that he latest versions of IE and Firefox now have anti phishing protection built-in. Moreover, phishing sites are known to exploit browser vulnerabilities to hide the real .info and .biz extension of a site, so that a built-in anti phishing toolbar picks up where the browser can no longer perform.

As far as the recent increase of Rock Phish domains is concerned, DSLreports.com has been keeping track of, and shutting down Rock Phish domains for a while. Once shut down, new domain names usually recently dropped ones appear online, such as userport.li and userport.ch for instance. Go through an article on "The History of Rock Phish" as well.