Phishers turn DNS against authorities

Botnets make phishing sites harder to stamp out

Phishing scammers are cleverly abusing automated "bots" by targeting DNS servers, security experts have warned. The new technique makes it significantly harder to shut down phishing sites.

In a conventional phishing scam, users are lured to a malicious website which replicates the appearance of a trusted site such as a bank or e-commerce site and convinces the user to input their account information. Such scams can only operate for a limited time before they come to light though and the malicious site is shut down, normally by the ISP that hosts the site.

But the scammers have started using botnets to get around the problem. A botnet consolidates a number of compromised computers so that they can be organised to work together. Using a botnet, a scammer can host the same malicious site at several different IP addresses and, when one is shut down, modify the DNS record for the domain to point to a different IP address. A DNS record is hosted on a DNS name server and is used to turn an address such as www.techworld.com into a numeric IP address for a specific server, such as 111.222.333.444.

In this case, the malicious site can still be shut down by working with the ISP that hosts the name server and removing or modifying the DNS records in question. The newest type of attack, however, reported this week, takes the use of botnets further by using them to host name servers with several different ISPs, say security experts.

"In the most recent report, the attacker was using a botnet to host not only the malicious websites, but also the DNS servers that provided domain resolution services for the targeted domain name," writes Lenny Zeltser, a handler with the Internet Storm Center (ISC). "This setup allowed the attacker to move to a new DNS server when one of the malicious servers got shut down." The ISC is operated by the SANS Institute.

Zeltser said the ISC received a report of such an attack that matched closely with a report that surfaced on the Daily Dave mailing list run by security company Immunity. In the scam reported on this mailing list, scammers used a botnet to host five different name servers on compromised computers served by different ISPs. These served five different IP addresses for the phishing site, with the addresses changing every ten to 15 minutes, according to "byte_jump", who contributed the report.

Such a scheme makes it difficult for companies to shut down a phishing site that targets their customers, according to ISC. "An organisation battling this threat typically has to deal with the registrar of the malicious domain, instead of attempting to shut down the individual DNS server," Zeltser writes. Many domain registrars don't have formal procedures for dealing with such requests, making it difficult to get the malicious domain shut down, ISC said.

ISPs may be able to make a dent in the problem by intercepting and redirecting malicious DNS traffic on their network, so that requests for a malicious site are cut off, ISC said. This can be particularly effective if put into play by a large ISP, although it only affects traffic on the ISP's own network, according to ISC.

In March, the Honeynet Project estimated that more than a million compromised computers are controlled by botnets. They are used for a variety of purposes such as distributing spam, sniffing network traffic for unencrypted passwords and other kinds of fraud, say industry observers.