Phishers Trick with Redirection & DNS Modification

Criminals while increasing their phishing efforts are using tricks of redirection and Domain Name System (DNS) to try to be out of reach of investigators who effectively track down phishing sites.

In its recent report on January 31, 2008, the APWG (Anti-Phishing Working Group) said that in November 2007, it observed a spike in malicious programs that take users to phisher-controlled DNS servers.

DNS servers are crucial in locating the source of Websites. These move a domain name to map to an Internet Protocol (IP) address, making it possible to locate a Website and its access on a browser.

Representing the recent move in the chasing game between security experts and criminals online is the phishers' use of rockphish and fast-flux techniques. When successful, an unsuspecting computer user fails to realize that his DNS configuration has been altered until after accessing a phony site and finding his login particulars stolen, all despite the Web browser showing a correct URL in its address bar.

According to the APWG, besides seeing phishing-based keyloggers, it is also finding increasing redirection of visitors' traffic. More specifically, the redirectors have malware in large volumes that simply change the settings in DNS servers or host malicious files to divert either specific or all the DNS lookups to a fake DNS server.

This fake server responds with 'good' replies for majority of the domains, but when they intend to take a visitor to a rogue one, they just alter their responses from the name server. Attackers find this particularly effective as with this technique, they can redirect users' requests any time, while there is hardly any indication to the latter about its happening even when they type the URL manually.

The APWG informed that the total number of phishing sites dropped in November, but a record number of 178 brands were exploited in attacks. This compares to 120 brands being used in October and 174 brands in April 2007 accounting for the highest among previous totals.

APWG also said that a greater number of European and Middle Eastern financial service institutions were being used in phishing attacks.

Related article: Phishers Expand Their Sphere of Attacks

» SPAMfighter News - 2/8/2008