Phishers Are Casting Nets for Your Domain Names & DNS

Comment | Print | RSS

• Login to Rate

A phisher uses a routine correspondence from domain name registrars in an attempt to gain control over legitimately registered domain names. Phishers (criminals, in general) see a great benefit from using a domain name that is held by a registrant in good standing because of the uncertainty they cause when claims of misuse are registered. Any uncertainty on the part of interveners or registrars may delay efforts to suspend any illegal activities conducted in association with that domain name. A recent example against GoDaddy.com is described here.

A chronology of this phishing attack scenario follows:

1. The phisher hosts a fraudulent copy of the registrar’s login portal. The login form on the fraudulent page hosts a script that accepts the visitor’s username and password and delivers this to the phisher.

2. The phisher spams a copy of a routine correspondence that registrars send to customers. Registrars contact customers by email to notify them to renew or update contact information domains, or to inform them when changes have been made to a domain registration or the name server configuration for their domain. These correspondences are familiar to customers, and more importantly, they ask the customer to log into his account. They are perfect bait for a phish.

3. The registrars’ customer takes the bait, visits the fraudulent login page, and unwittingly discloses his registration account credentials to the phisher.

For example, the .com name servers refer DNS queries for my domain, securityskeptic.com, to NS25.DOMAINCONTROL.COM or NS26.DOMAINCONTROL.COM. These two name servers host the DNS data for my domain -- e.g., both will return the IP address 97.74.144.109 for my Website, www.securityskeptic.com. If a phisher were to compromise my registration account, he would change the name server information to point to a name server he’s owned, and .com’s name servers would be updated to reflect this change in configuration. The attacker can now control the responses for any DNS query about my domain because he controls the name server and the DNS data it publishes.

This is a very powerful attack platform. Here’s a short list of attacks that he can facilitate, for himself or others who “contract his services” (A fuller list is identified in the ICANN SSAC report on registrar phishing):

• Modify IP address records to point to spoofed Web or other servers under the attacker’s control. The attacker can then host whatever content he chooses at the phony site; for example, the attacker might choose to deface the Website and embarrass the registrant.

• Modify IP address records to point to spoofed login pages for intranet, wiki, or customer Web portals. Like other forms of phishing, the attacker seeks to dupe unsuspecting employees into disclosing usernames and passwords so he can access and steal sensitive information.

• Modify mail exchange (MX) resource records in the domain zone data he controls to point to addresses of mail servers under his control and send spam from mail servers he controls. Altering MX records will in many cases disrupt mail delivery to points of contact for the domain name registration and will keep the organization in the dark regarding the compromise.

• Set time to live values (TTLs) and alter DNS records of the domain zone data on the name servers he operates at those addresses to support fast flux or double flux attacks.

Given the advantages we’ve considered, it’s pretty obvious why phishers find registrar phishing “good for business.” It’s worth your while to be as vigilant in protecting your organization from such attacks. In my next blog, I’ll discuss measures to detect and respond to registration account compromise.