Thursday, May 12, 2005

Google, DNS Cache Poisoning, and Phishers

(Picture credit Quantrimang)
Excel-web sharing of spreadsheetsInformationWeek reports that Google was knocked offline on Saturday. The cause: DNS Cache Poisoning. In a nutshell, bad guys can take advantage of various weaknesses in the DNS protocol (e.g., a combination of guessing sequence numbers and spoofing IP addresses) to pollute the caches of legitimate name servers. A good explanation of the history of DNS cache poisoning was published a while back on the SecurityFocus site.

In addition, TechWeb reports that Phishers are also starting to use DNS weaknesses to their advantage. Phishers are the persons or organizations running bogus websites that mimic, say, Citibank... and try to capture authentication and identity data from legitimate customers. Having captured that information, the Phishers attempt to use it for financial gain.

Aside from simply hosting bogus DNS servers on co-opted machines, they can also attempt nasty tricks like polluting hosts files on client machines. The effect? You think you're logging into Citibank, but you're really authenticating to a zombie Dell PC in Skokie, Illinois.

Here's hoping that a robust generation of DNS software and browsers, sufficiently innoculated against these sorts of attacks, comes sooner rather than later.

The Dailydave mailing list laid out the process.

"The hostname that is hosting the phishing site is served up by five different name servers. Those five name servers are on home computers residing on networks such as Comcast, Charter, etc.

"The name servers are using some sort of round-robin DNS to serve up five different IP addresses for the phishing site, and the five IP addresses used are changing every ten to fifteen minutes.

"All of this seems to be a distributed phishing scam controlled by some sort of bot network. This type of phishing site organization is virtually impossible to get shut down, other than having the registrar of the domain deactivate the domain. Anyone that has ever worked with a registrar on something like this knows that it's like speaking to a wall."

"These DNS servers can change the IP address of the fake site over and over again," said Hubbard. "Say the fake site is hosted in China, but is quickly shut down. The phisher just has to change the bogus DNS server and anyone clicking on a phishing link would get sent to another machine, maybe now in the U.S., that's hosting the phony site."

p.s., Did you know Google offers a H4x0r search engine?

p.p.s., On an unrelated topic, Google just bought the mobile social networking service Dodgeball. Combined with Google maps, the possibilities are amazing.

No comments: