DNS POISONING, AKA PHARMING, MAKES THE HEADLINES IN NOVEMBER'S NEWS

Page created by Joshua Baldwin
 
CONTINUE READING
DNS POISONING, AKA PHARMING, MAKES
THE HEADLINES IN NOVEMBER’S NEWS
December 2011
                November saw DNS Poisoning, aka Pharming, making the headlines on more than one
                occasion: To name a few, the online threat showcased in the high-profile hijacking of
                several Brazilian ISPs’ DNS servers; an incident that resulted in millions of Brazilian users
                being infected with a banking Trojan. As well, the FBI arrested half a dozen Estonian-
                based cybercriminals last month in connection with a fraudulent DNS-rerouting scheme
                that enabled the gang to rake in $14 Million in fraudulent advertising revenue.

                In view of November’s DNS-related incidents, this month’s highlight sheds light on the
                Domain Name System (“DNS”), including:

                –– What the DNS system Is
                –– How it works
                –– Potential threats as exemplified in recent cases
                –– Prevention and mitigation measures

                WHAT IS THE DOMAIN NAME SYSTEM?
                The Domain Name System (“DNS”) is a system designed to facilitate locating an internet
                resource, and can be likened to a phone directory, which ‘resolves’ people’s names to their
                respective phone numbers. In much the same way, DNS servers resolve web domains (such
                as http://website.com) to their correct IP addresses (for example, 12.123.3.1).

                HOW DOES IT WORK?
                The Domain Name System is a distributed, hierarchical system that issues queries from
                a user’s computer to other domain name servers until the IP address of the requested
                resource is located. When an online user enters a domain name in a browser’s address
                bar, for example, http://website.com, the query undergoes the following flow of events:

FRAUD REPORT
1. 	The OS queries a local file called Hosts, also known as the Hosts File. (In Windows
     systems, the file is located here: [LocalDisk]/Windows/system32/drivers/etc.) The
     Hosts file maps domains, aka “hosts,” to their IP address. (This is relevant to some
     operating systems, in which a query is first issued to the local Hosts file, before it is
     issued to external resources.)

2. 	If the IP address of the host is not defined in the Hosts file, the OS queries the user’s
     local DNS cache. (You can view your local DNS cache by running the command
     ipconfig /displaydns.)

3. 	If the appropriate IP address is not located in the user’s local DNS cache, the OS
     issues a query to the ISP’s DNS servers (or the user’s organization’s DNS servers).

4. 	The ISP checks the cache of its own DNS servers, and if the resource for the host is
     not cached, it then issues a query to the root name servers to find the DNS server
     responsible for the relevant top level domain (TLD). For example, a query for the
     domain http://website.com would be forwarded to the .com root name server (which
     is the authoritative DNS server for .com domains).

5. 	The TLD server locates the authoritative name server for http://website.com, which
     would normally be configured as ns1.website.com.

6. 	The authoritative name server, ns1.website.com, locates the IP address for
     http://website.com, and resolves the query.

7. 	The OS queries the IP address of http://website.com, and retrieves its content
     (the actual website).

POTENTIAL THREATS AS EXEMPLIFIED IN RECENT CASES
Potential threats to the integrity of the DNS query chain include classic pharming, DNS
Cache Poisoning, Rogue DNS servers, and local pharming. These threats are explained
below, along with relevant cases that made the headlines in November.

Classic Pharming
Classic pharming consists of the deliberate manipulation of DNS records with the
objective of providing an incorrect IP address for a given domain query. For example,
instead of resolving https://ABC-bank.com to 1.23.123.1, a poisoned DNS record would
return an incorrect IP address such as 3.21.31.2. The false IP address returned to an
online user could harbor a wide range of fraudulent content, including anything from a
phishing attack that mimics the genuine website to a Trojan infection point containing a
drive-by-download.

DNS Cache Poisoning
Earlier last month, cybercriminals reportedly hacked the cache of DNS servers belonging
to several major ISPs in Brazil, changing the ISP’s DNS cache records for high-traffic
websites, such as Google Brazil, YouTube, Gmail, Hotmail and several large Brazilian
Internet portals like Uol, Terra or Globo.

A DNS server’s cache functions as a storage area for responses received in previous DNS
queries. DNS caches are employed with the objective of resolving DNS queries faster;
improving users’ browsing experience by saving the time it takes to meander a query
through all the relevant DNS servers until the appropriate IP address is returned.

When trying to access the high-profile websites mentioned above from one of the
affected ISPs, users were redirected to a website that forced them to download a banker
Trojan (possibly one of the numerous variants of the Brazilian Baker Trojan), which
masqueraded as a small, innocuous Java applet (a small Java application).

Given that Brazil has over 70 million internet users, and that each ISP in the country
serves at least 3 million subscribers, targeted financial institutions were likely heavily

                                                                                        page 2
impacted by the DNS cache poisoning attack. The confidentiality of millions of online
banking accounts was jeopardized as Banker Trojans easily collect usernames and
passwords (either via keylogging, or the logging of all HTTP and HTTPS communications).

The breach of the DNS servers’ cache may have resulted from inherent software
vulnerabilities or from the criminal actions of a server administrator, who may have
exploited his/her access to these servers to manipulate the servers’ cached responses.
Such was the case that made headlines in early November, when an employee of a
Brazilian ISP was arrested by the Brazilian Federal Police for continuously manipulating
the ISP’s DNS cache results over a 10-month period. The DNS cache poisoning in this
incident resulted in the redirection of the ISP’s subscribers to phishing attacks.

Rogue DNS Servers

Also in early November, the FBI announced that a fraud scheme involving the manipulation
of users’ DNS settings resulted in a cybercrime gang’s raking in $14 million in revenue,
which the gang generated by earning commissions on clicks made by users on ads for which
they acted as publishers. To get users to click on ads for which the cybercriminals would be
paid commission, the gang rerouted search engine results to websites that featured
revenue-generating ads (for which they acted as publishers). Plus, the crime ring replaced
legitimate online ads with different ads for which they could once again earn commission.

To accomplish their fraudulent feats, the gang manipulated users’ DNS settings by
launching an infection campaign that compromised machines with a piece of malware
called DNSChanger. The malware effected a change on users’ local DNS settings,
rerouting their machines’ DNS queries to rogue DNS servers under the gang’s control.
This means that instead of querying their ISP’s legitimate DNS servers, victims who
downloaded DNSChanger constantly queried the gang’s rogue DNS server, which served
bogus search engine results and fraudulently-replaced ads on legitimate websites.

Rerouting hyperlinks that came up on search engine results enabled the gang to generate
revenue by leading them to a different webpage than the one indicated by the hyperlink,
which contained advertisements purportedly related to a product they sought.
Subsequent clicks by users on those ads generated commissions for the gang. This
scheme is known as Click Hijacking or “click-jacking.”

Another revenue-generating scheme deployed by the gang involved advertising
replacement fraud. As stated by the FBI, “Using the DNS Changer malware and rogue
DNS servers, the defendants also replaced legitimate advertisements on websites with
substituted advertisements that triggered payments…” to the gang.

Local Pharming

While not directly involving DNS servers, local pharming comprises another form of
IP-resolution fraud. In some operating systems, hosts files are given priority over
resolution by DNS systems. In such systems, if a given host (web domain) is located in
the hosts file, no DNS query is performed to resolve its IP address, but rather the IP
specified in the hosts file is used.

Consequently, by changing the IP address associated with the host name (domain) of an
entity, Local Pharming Trojans redirect victims to various fraudulent webpages, which may
in turn serve malicious content ranging from phishing attacks to Trojan infection points
and click-jacking schemes. Local pharming is especially popular among variants of the
Brazilian Banker Trojan.

PREVENTION AND MITIGATION MEASURES
How can pharming be prevented? A set of specifications, issued as part of a larger
industry-wide effort, called the Domain Name System Security Extensions (DNSSEC),
consists of specifications that enable authentication of DNS responses, in an effort to
improve the reliability of DNS responses and thwart DNS-poisoning efforts. The central
idea behind DNSSEC is to enable DNS query responses to be authenticated using a

                                                                                     page 3
digital signature. A digitally signed DNS query enables a user to verify whether the
information received in response to a DNS query matches the information served by the
authoritative DNS server for that domain, ensuring that the DNS response is correct and
complete.

How can a pharming attack be mitigated once launched? An outsourced solution, such as
the RSA FraudAction Anti-Pharming Service, is designed to handle DNS poisoning attacks
from the detection phase to the threat’s complete shutdown. To detect pharming on a
particular entity’s website, RSA deploys dedicated servers that actively monitor the
Internet in search for poisoned DNS servers.

As illustrated below (and mentioned above), pharming, including local pharming, may
be launched from four different points in the DNS query chain:

–– The user’s Hosts File (local pharming)

–– The ISP’s DNS server

–– The Root Name Server

–– The Authoritative Name Server

As large scale attacks may be launched from the latter three points (ISPs’ DNS Server, the
Root Name Server, and a domain’s Authoritative Name Server), that is where mitigation
solutions focus their monitoring and detection efforts.

The FraudAction Anti-Pharming Service is focused on points 2, 3 and 4 (excluding the user’s
own PC), focusing on where the majority of large scale attacks can take place
(see figure below).

                                            RSA FraudAction Anti-Pharming

                                             Real-time Scanning
1-4 represent the DNS hierarchy

1

                             2                     3                  4
    User PC host file             ISP DNS         Root DNS server    Bank/authoritative   Bank’s
    DNS bypass                                                       DNS server           web server

(As a side note, local pharming attacks, which are the product of Local Pharming Trojans,
are detected, monitored, blocked and shut down using a different methodology. The
RSA FraudAction Anti-Trojan Service detects and handles Local Pharming Trojans on a
regular basis.)

To detect pharming on a given set of domain names, the website domains of a specific
organization for example, a system is set up to continuously query the above points of
the DNS query chain. The system verifies the validity of the name server and IP-address
responses to DNS queries on an organization’s domains. In addition, the system scans
select ISP DNS servers to ensure that their cached data has not been poisoned at any
point in time.

If an attack is detected and confirmed, the spoofed website is taken down, and the owner of
the poisoned DNS server is contacted to enable the immediate removal of the manipulated
DNS information. The key to fighting DNS poisoning is limiting the window of opportunity
that a pharming attack has to serve malicious content (be it phishing attacks, Trojan attacks,
or click-jacking) to a potential victim. Real-time detection of a pharming attack that is already
in progress, combined with the means and capabilities to immediately remediate, can
significantly curtail the debilitating impact such an attack may have.

                                                                                                page 4
38970
                                              40000

                                              35000
Phishing Attacks per Month
                                                                                                                                                                                                                                28365
                                              30000

                                                                                                                                                                                                                                                                             Source: RSA Anti-Fraud Command Center
                                                                                                                                                                                             26907
In November, phishing volume increased                                                                                                                                          25191
                                                                                                                                                                                                                     24019
18 percent – with 28,365 unique attacks       25000                                                                                              23097 22516

detected by RSA. Compared to the same
                                              20000                                                  18079 17586 17376
time last year (November 2010 vs.                         17579 17579 16355

November 2011), phishing volume has           15000
increased 69 percent.
                                              10000

                                               5000

                                                    0
                                                            Nov 10

                                                                          Dec 10

                                                                                        Jan 11

                                                                                                      Feb 11

                                                                                                                        Mar 11

                                                                                                                                       Apr 11

                                                                                                                                                     May 11

                                                                                                                                                                   Jun 11

                                                                                                                                                                                Jul 11

                                                                                                                                                                                             Aug 11

                                                                                                                                                                                                          Sept 11

                                                                                                                                                                                                                      Oct 11

                                                                                                                                                                                                                                Nov 11
                                              400                                                                                           376
                                                                                                                                                         349                        351
                                                                                                               342
Number of Brands Attacked                     350                                                                                                                      321                                             313
                                                                                                                                 301                                                            300         298
Last month, 313 brands were targeted          300

                                                                                                                                                                                                                                    Source: RSA Anti-Fraud Command Center
                                                                                                 268
within phishing attacks, marking a five                                            257
                                              250                     236
percent increase. Fifty-five percent of the
                                                         200
brands targeted last month endured less       200
than five attacks each. This figure is
slightly higher than the 51 percent           150
recorded in October. It appears that an       100
increasing number of brands are enduring
less than five attacks per month as            50
phishers look to expand the list of brands      0
added to their target list.
                                                        Nov 10

                                                                     Dec 10

                                                                                   Jan 11

                                                                                                 Feb 11

                                                                                                               Mar 11

                                                                                                                             Apr 11

                                                                                                                                            May 11

                                                                                                                                                          Jun 11

                                                                                                                                                                       Jul 11

                                                                                                                                                                                    Aug 11

                                                                                                                                                                                                Sept 11

                                                                                                                                                                                                            Oct 11

                                                                                                                                                                                                                       Nov 11

                                                                                                                                                                                                                                                                            page 5
100
                                                                    10%           8%        11%       9%       11%      15%        12%      11%      10%      19%      6%        14%      9%

US Bank Types Attacked                                80            19%          18%        15%       15%      18%      22%        12%      20%      23%      20%      25%       12%      16%

                                                                                                                                                                                                   Source: RSA Anti-Fraud Command Center
The portion of brands targeted in the U.S.
credit union sector decreased five percent,           60
while brands targeted with phishing in the
regional US banking sector saw a four
                                                      40
percent increase. In addition, the portion of
phishing attacks against nationwide U.S.
banks increased two percent.                          20

                                                                    71%          74%        74%       76%      71%      63%        76%      69%      67%      61%      69%       74%      75%
                                                            0
                                                                    Nov 10

                                                                                  Dec 10

                                                                                            Jan 11

                                                                                                      Feb 11

                                                                                                               Mar 11

                                                                                                                        Apr 11

                                                                                                                                   May 11

                                                                                                                                            Jun 11

                                                                                                                                                     Jul 11

                                                                                                                                                              Aug 11

                                                                                                                                                                       Sept 11

                                                                                                                                                                                 Oct 11

                                                                                                                                                                                          Nov 11
                                                                                                                                 Netherlands 1%
                                                                                                        Australia 1%
                                      a         Australia                    South Korea             Canada               China    Colombia 1%
                                                                                                                                            Germany                    UK                     France                                       Nethe

                                                                                                           India 2%
Top Countries by Attack Volume
In September 2011, the UK overtook the                                               Brazil 3%
                                                                   37 Other Countries 3%
U.S.’s ostensibly perpetual position as the
country that endured the highest volumes                                        Canada 6%
                                                                                                                                                                       United Kingdom 51%
of phishing attacks each month. In
November, the UK remains the country that
                                                                South Africa 8%
has suffered the highest volume of
phishing attacks with 51 percent of attacks
launched against entities in the UK.

The U.S. endured the second highest
volume -23 percent - less than half of the
attacks experienced by the UK, followed by
South Africa (8 percent) and Canada (6
percent).                                                                                  U.S. 23%

                                                                                                                                                                                               page 6
South Africa 2%
                                                                                 Italy 2%
                                      a       US              S Africa      China  2%
                                                                               China         Italy   Colombia 2%
                                                                                                               Canada         Netherlands     India    Bras

                                                                     Germany 2%

                                                                     Spain 3%

Top Countries by Attacked Brands
                                                                   France 3%
Through November, a total of 20 countries                                                                                    U.S. 32%
endured one percent or more of the                               India 4%
world’s phishing attacks. Together, the
                                                           Canada 4%
U.S. and UK accounted for 43 percent of
the world’s targeted brands, while the
                                                          Australia 4%
brands of eleven additional countries
accounted for a total of 35 percent of
phishing attacks in November.                                   Brazil 7%

                                                             United Kingdom 11%
                                                                                                                    33 Other Countries 21%

                                                                                             France 2%
                                      USA     Australia       South Korea
                                                                               Canada
                                                                                Canada
                                                                                       2%    China              Germany       UK              France   Net

                                                                            Poland 2%                Netherlands 2%

                                                                            Brazil 2%
                                                                     Australia 3%
Top Hosting Countries
                                                                   Russia 4%
In November, the US hosted 61 percent
of the world’s phishing attacks, a seven                   Germany 4%
percent increase from October. Nine of the                                                                                         U.S. 61%
top ten hosting countries in November              United Kingdom 5%
retained their status from October with
Poland replacing the Ukraine on that chart.

                                                   65 Other Countries 14%

                                                                                                                                              page 7
CONTACT US
To learn more about how RSA
products, services, and solutions help
solve your business and IT challenges
contact your local representative or
authorized reseller – or visit us at
www.RSA.com

                                         ©2011 EMC Corporation. EMC, RSA, the RSA logo, and FraudAction are trademarks or registered trademarks of EMC
                                         Corporation in the U.S. and/or other countries. All other trademarks mentioned are the property of their respective
www.rsa.com                              holders. DEC RPT 1211
You can also read