Phishers Use Wildcard DNS to Build Convincing Bait URLs

Netcraft yesterday reported about people using DNS wildcard records for phising, which Wikipedia defines as

the fraudulent acquisition, through deception, of sensitive personal information such as passwords and credit card details, by masquerading as someone trustworthy with a real need for such information

According to Netcraft’s story, the phishers sent an e-mail that seemed to come from Barclays Bank, urging people to click links such as the following:

http://barclays.co.uk|snc9d8ynusktl2wpqxzn1anes89gi8z.dvdlinKs.at/pgcgc3p/

In this domain name, the label barclays.co.uk|snc9d8ynusktl2wpqxzn1anes89gi8z probably was not explicitly added to the master file; rather, a wildcard *.dvdlinks.at domain name was created, as can be seen:

meilof@athlon:~ $ poshost *.dvdlinks.at
Querying 10.0.0.9#53 for {*.dvdlinks.at.,A}

Received answer from 10.0.0.9#53
  Not authoritative
  -> *.dvdlinks.at. points to kickme.to.

Answers for kickme.to.:
  -> [A] 64.235.234.138
meilof@athlon:~ $ poshost barclays.co.uk\|snc9d8ynusktl2wpqxzn1anes89gi8z.dvdlinKs.at
Querying 10.0.0.9#53 for {barclays.co.uk|snc9d8ynusktl2wpqxzn1anes89gi8z.dvdlinKs.at.,A}

Received answer from 10.0.0.9#53
  Not authoritative
  -> barclays.co.uk|snc9d8ynusktl2wpqxzn1anes89gi8z.dvdlinKs.at. points to kickme.to.

Answers for kickme.to.:
  -> [A] 64.235.234.138

In this case, DNS wildcard records made it easy to generate random domain names that would all point to the same location. Note that the generated DNS label has length 46, which is just below the 53 characters a domain name label can have maximally.

(Using wildcard records is discussed in the What makes up a zone article.)

Though wildcards are a part of the official DNS specification in RFC’s 1034 and 1035, there is really no simple way to defend oneself against this: even if wildcards were not officially part of the protocol, DNS servers could still answer queries for random domain names; in fact, even now there is no way to distinguish between a normal answer and a wildcard answer.

On a related note, obfuscating URLs for phishing purposes is something that has been getting a lot of attention lately. As it happens, ZDNET is today reporting that Internationalized Domain Names could be used for obfuscation purposes as well; the Mozilla Foundation has released a fix in their Firefox browser to prevent this from happening:

The open-source project released Firefox 1.0.1 to fix a vulnerability in the Internationalized Domain Names (IDN), a standard for handling special character sets in domain names that could let an attacker spoof Web sites on non-Microsoft browsers. The standard allows companies to register domain names that appear to be the same in different languages.

That encoding scheme could enable an attacker to create a fake Web site for a phishing scam. A spoofed link would seem to be a legitimate URL in the address bar of affected browsers. But instead of taking the victim to the trusted site, the link would lead to a phony Web site with a domain rendered as the same address under the IDN process.

 
  dns/news/20050308-wildcard-phishing.txt · Last modified: 2005/03/09 19:52
 
Copyright © Meilof Veeningen, 2002-2005 - About Posadis.org