Login

Please login to Techworld.com

Forgot password?
Need your new account confirmation email resent?
Forgot email?

Not a member yet?

Register for a Techworld Account and enjoy unlimited access to our extensive white paper library and exclusive Enterprise multi-user software trials. Account members can also comment on articles and access best practices guides.

Security

Top How-Tos / Advice articles

Phishing attacks could be undetectable

Crooks exploiting open DNS servers, finds study.

By Matthew Broersma | Techworld | Published: 15:19, 12 February 2008

Companies and users are at serious risk from a loophole in the the Domain Name System (DNS) that could make financial scams such as phishing attacks practically undetectable, according to a study presented this week by researchers from Georgia Tech and Google.

The researchers, David Dagon, Chris Lee and Wenke Lee of Georgia Tech, and Niels Provos of Google, formally presented their study "Corrupted DNS Resolution Paths" on Monday at the Network and Distributed System Security Symposium (NDSS) in San Diego.

The attack they describe, called "DNS resolution path corruption", could be carried out by a simple piece of code implanted via a malicious website or email attachment, the study said. The code would change a file in the Windows registry settings, telling the PC to use the malicious server for all DNS information.

This would allow scammers to invisibly guide users to the malicious sites of their choice, getting around security tools such as anti-phishing software.

The exploit described in the new paper could lead to serious financial liabilities, according to DNS inventor Paul Mockapetris. In a published report this week he said it is only a matter of time before a crook makes off with up to $100m in a successful attack on a corporation.

The problem is "open recursive" DNS servers, which are used to tell computers how to find each other on the internet by translating domain names like google.com into numerical Internet Protocol addresses. Criminals are using these servers in combination with new attack techniques to develop a new generation of phishing attacks, according to the study.

The researchers estimate that there are 17 million open-recursive DNS servers on the Internet, the vast majority of which give accurate information. Unlike other DNS servers, open-recursive systems will answer all DNS lookup requests from any computer on the Internet, a feature that makes them particularly useful for hackers.

The researchers estimate that as many as 0.4 percent, or 68,000, open-recursive DNS servers are behaving maliciously, returning false answers to DNS queries. They also estimate that another two percent of them provide questionable results. Collectively, these servers are beginning to form a "second secret authority" for DNS that is undermining the trustworthiness of the Internet, the researchers warned.

Attacks on the DNS system are not new, and online criminals have been changing DNS settings in victim's computers for at least four years now, Dagon said. But only recently have the bad guys lined up the technology and expertise to reliably launch this particular type of attack in a more widespread way. While the first such attacks used computer viruses to make these changes, lately attackers have been relying on web-based malware.

Using Google's network of web crawlers, researchers uncovered more than 2,100 Web pages that used exploit code to change the Windows registry of visitors.

IDG News Service's Robert McMillan contributed to this report.

Send to a friend

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.