[DNS poisoning isn't new, but it's certainly getting more serious -
Stu]
04 April 2005
Internet address system poisoned
DNS pharming attacks target .com registry
By Paul Roberts, IDG News Service
A new round of so-called "pharming" attacks is targeting the .com
Internet domain, redirecting some Internet users who are looking for
.com websites to Web pages controlled by the unknown attackers.
The SANS Institute's Internet Storm Center (ISC) issued a warning
Thursday about the new attacks, which corrupt some DNS (domain name
system) servers so that requests for .com sites sent to those servers
connect users instead to websites maintained by the attackers.
News of the new attacks comes amid increasing reports of pharming
scams, and statistics that show at least 1,300 Internet domains were
redirected to compromised Web servers in a similar attack earlier in
early March.
ISC advised network operators to block traffic to and from the IP
addresses involved in the attack to stop the redirection.
DNS is a global network of computers that translates requests for
reader-friendly Web domains, such as www.techworld.com, into the
numeric IP addresses that machines on the Internet use to
communicate.
The latest attack use a strategy called DNS cache poisoning, in which
malicious hackers use a DNS server they control to feed erroneous
information to other DNS servers. The attacks take advantage of a
vulnerable feature of DNS that allows any DNS server that receives a
request about the IP address of a Web domain to return information
about the address of other Web domains.
Internet users who rely on a poisoned DNS server to manage their Web
surfing requests might find that entering the URL of a well-known
website directs them to an unexpected or malicious Web page.
Pharming attacks are similar to phishing identity theft attacks, but
don't require a "lure", such as a Web link that victims must click on
to be taken to the attack website. The attacks have been increasing
in recent months, as Internet users become more savvy about
traditional phishing scams and online criminal groups look for new
ways to collect sensitive information or financial data from victims,
according to The Anti-Phishing Working Group.
In the latest attack, a rogue DNS server posed as the authoritative
DNS server for the entire .com Web domain. Other DNS servers that
were poisoned with this false information redirected all .com
requests to the rogue server, which responded to all .com requests
with one of two IP addresses. Web pages at those addressed displayed
a search engine and an advertisement for a website,
www.privacycash.com.
In a similar DNS cache poisoning attack in early March, requests from
more than 900 unique Internet addresses and more than 75,000 e-mail
messages were redirected, according to log data obtained from
compromised Web servers that were used in the attacks, ISC said.
---
* Origin: [adminz] tech, security, support (192:168/0.2)
generated by msg2page 0.06 on Jul 21, 2006 at 19:03:53
search: