DNS POISONING, AKA PHARMING, MAKES THE HEADLINES IN NOVEMBER'S NEWS
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
DNS POISONING, AKA PHARMING, MAKES THE HEADLINES IN NOVEMBER’S NEWS December 2011 November saw DNS Poisoning, aka Pharming, making the headlines on more than one occasion: To name a few, the online threat showcased in the high-profile hijacking of several Brazilian ISPs’ DNS servers; an incident that resulted in millions of Brazilian users being infected with a banking Trojan. As well, the FBI arrested half a dozen Estonian- based cybercriminals last month in connection with a fraudulent DNS-rerouting scheme that enabled the gang to rake in $14 Million in fraudulent advertising revenue. In view of November’s DNS-related incidents, this month’s highlight sheds light on the Domain Name System (“DNS”), including: –– What the DNS system Is –– How it works –– Potential threats as exemplified in recent cases –– Prevention and mitigation measures WHAT IS THE DOMAIN NAME SYSTEM? The Domain Name System (“DNS”) is a system designed to facilitate locating an internet resource, and can be likened to a phone directory, which ‘resolves’ people’s names to their respective phone numbers. In much the same way, DNS servers resolve web domains (such as http://website.com) to their correct IP addresses (for example, 12.123.3.1). HOW DOES IT WORK? The Domain Name System is a distributed, hierarchical system that issues queries from a user’s computer to other domain name servers until the IP address of the requested resource is located. When an online user enters a domain name in a browser’s address bar, for example, http://website.com, the query undergoes the following flow of events: FRAUD REPORT
1. The OS queries a local file called Hosts, also known as the Hosts File. (In Windows systems, the file is located here: [LocalDisk]/Windows/system32/drivers/etc.) The Hosts file maps domains, aka “hosts,” to their IP address. (This is relevant to some operating systems, in which a query is first issued to the local Hosts file, before it is issued to external resources.) 2. If the IP address of the host is not defined in the Hosts file, the OS queries the user’s local DNS cache. (You can view your local DNS cache by running the command ipconfig /displaydns.) 3. If the appropriate IP address is not located in the user’s local DNS cache, the OS issues a query to the ISP’s DNS servers (or the user’s organization’s DNS servers). 4. The ISP checks the cache of its own DNS servers, and if the resource for the host is not cached, it then issues a query to the root name servers to find the DNS server responsible for the relevant top level domain (TLD). For example, a query for the domain http://website.com would be forwarded to the .com root name server (which is the authoritative DNS server for .com domains). 5. The TLD server locates the authoritative name server for http://website.com, which would normally be configured as ns1.website.com. 6. The authoritative name server, ns1.website.com, locates the IP address for http://website.com, and resolves the query. 7. The OS queries the IP address of http://website.com, and retrieves its content (the actual website). POTENTIAL THREATS AS EXEMPLIFIED IN RECENT CASES Potential threats to the integrity of the DNS query chain include classic pharming, DNS Cache Poisoning, Rogue DNS servers, and local pharming. These threats are explained below, along with relevant cases that made the headlines in November. Classic Pharming Classic pharming consists of the deliberate manipulation of DNS records with the objective of providing an incorrect IP address for a given domain query. For example, instead of resolving https://ABC-bank.com to 1.23.123.1, a poisoned DNS record would return an incorrect IP address such as 3.21.31.2. The false IP address returned to an online user could harbor a wide range of fraudulent content, including anything from a phishing attack that mimics the genuine website to a Trojan infection point containing a drive-by-download. DNS Cache Poisoning Earlier last month, cybercriminals reportedly hacked the cache of DNS servers belonging to several major ISPs in Brazil, changing the ISP’s DNS cache records for high-traffic websites, such as Google Brazil, YouTube, Gmail, Hotmail and several large Brazilian Internet portals like Uol, Terra or Globo. A DNS server’s cache functions as a storage area for responses received in previous DNS queries. DNS caches are employed with the objective of resolving DNS queries faster; improving users’ browsing experience by saving the time it takes to meander a query through all the relevant DNS servers until the appropriate IP address is returned. When trying to access the high-profile websites mentioned above from one of the affected ISPs, users were redirected to a website that forced them to download a banker Trojan (possibly one of the numerous variants of the Brazilian Baker Trojan), which masqueraded as a small, innocuous Java applet (a small Java application). Given that Brazil has over 70 million internet users, and that each ISP in the country serves at least 3 million subscribers, targeted financial institutions were likely heavily page 2
impacted by the DNS cache poisoning attack. The confidentiality of millions of online banking accounts was jeopardized as Banker Trojans easily collect usernames and passwords (either via keylogging, or the logging of all HTTP and HTTPS communications). The breach of the DNS servers’ cache may have resulted from inherent software vulnerabilities or from the criminal actions of a server administrator, who may have exploited his/her access to these servers to manipulate the servers’ cached responses. Such was the case that made headlines in early November, when an employee of a Brazilian ISP was arrested by the Brazilian Federal Police for continuously manipulating the ISP’s DNS cache results over a 10-month period. The DNS cache poisoning in this incident resulted in the redirection of the ISP’s subscribers to phishing attacks. Rogue DNS Servers Also in early November, the FBI announced that a fraud scheme involving the manipulation of users’ DNS settings resulted in a cybercrime gang’s raking in $14 million in revenue, which the gang generated by earning commissions on clicks made by users on ads for which they acted as publishers. To get users to click on ads for which the cybercriminals would be paid commission, the gang rerouted search engine results to websites that featured revenue-generating ads (for which they acted as publishers). Plus, the crime ring replaced legitimate online ads with different ads for which they could once again earn commission. To accomplish their fraudulent feats, the gang manipulated users’ DNS settings by launching an infection campaign that compromised machines with a piece of malware called DNSChanger. The malware effected a change on users’ local DNS settings, rerouting their machines’ DNS queries to rogue DNS servers under the gang’s control. This means that instead of querying their ISP’s legitimate DNS servers, victims who downloaded DNSChanger constantly queried the gang’s rogue DNS server, which served bogus search engine results and fraudulently-replaced ads on legitimate websites. Rerouting hyperlinks that came up on search engine results enabled the gang to generate revenue by leading them to a different webpage than the one indicated by the hyperlink, which contained advertisements purportedly related to a product they sought. Subsequent clicks by users on those ads generated commissions for the gang. This scheme is known as Click Hijacking or “click-jacking.” Another revenue-generating scheme deployed by the gang involved advertising replacement fraud. As stated by the FBI, “Using the DNS Changer malware and rogue DNS servers, the defendants also replaced legitimate advertisements on websites with substituted advertisements that triggered payments…” to the gang. Local Pharming While not directly involving DNS servers, local pharming comprises another form of IP-resolution fraud. In some operating systems, hosts files are given priority over resolution by DNS systems. In such systems, if a given host (web domain) is located in the hosts file, no DNS query is performed to resolve its IP address, but rather the IP specified in the hosts file is used. Consequently, by changing the IP address associated with the host name (domain) of an entity, Local Pharming Trojans redirect victims to various fraudulent webpages, which may in turn serve malicious content ranging from phishing attacks to Trojan infection points and click-jacking schemes. Local pharming is especially popular among variants of the Brazilian Banker Trojan. PREVENTION AND MITIGATION MEASURES How can pharming be prevented? A set of specifications, issued as part of a larger industry-wide effort, called the Domain Name System Security Extensions (DNSSEC), consists of specifications that enable authentication of DNS responses, in an effort to improve the reliability of DNS responses and thwart DNS-poisoning efforts. The central idea behind DNSSEC is to enable DNS query responses to be authenticated using a page 3
digital signature. A digitally signed DNS query enables a user to verify whether the information received in response to a DNS query matches the information served by the authoritative DNS server for that domain, ensuring that the DNS response is correct and complete. How can a pharming attack be mitigated once launched? An outsourced solution, such as the RSA FraudAction Anti-Pharming Service, is designed to handle DNS poisoning attacks from the detection phase to the threat’s complete shutdown. To detect pharming on a particular entity’s website, RSA deploys dedicated servers that actively monitor the Internet in search for poisoned DNS servers. As illustrated below (and mentioned above), pharming, including local pharming, may be launched from four different points in the DNS query chain: –– The user’s Hosts File (local pharming) –– The ISP’s DNS server –– The Root Name Server –– The Authoritative Name Server As large scale attacks may be launched from the latter three points (ISPs’ DNS Server, the Root Name Server, and a domain’s Authoritative Name Server), that is where mitigation solutions focus their monitoring and detection efforts. The FraudAction Anti-Pharming Service is focused on points 2, 3 and 4 (excluding the user’s own PC), focusing on where the majority of large scale attacks can take place (see figure below). RSA FraudAction Anti-Pharming Real-time Scanning 1-4 represent the DNS hierarchy 1 2 3 4 User PC host file ISP DNS Root DNS server Bank/authoritative Bank’s DNS bypass DNS server web server (As a side note, local pharming attacks, which are the product of Local Pharming Trojans, are detected, monitored, blocked and shut down using a different methodology. The RSA FraudAction Anti-Trojan Service detects and handles Local Pharming Trojans on a regular basis.) To detect pharming on a given set of domain names, the website domains of a specific organization for example, a system is set up to continuously query the above points of the DNS query chain. The system verifies the validity of the name server and IP-address responses to DNS queries on an organization’s domains. In addition, the system scans select ISP DNS servers to ensure that their cached data has not been poisoned at any point in time. If an attack is detected and confirmed, the spoofed website is taken down, and the owner of the poisoned DNS server is contacted to enable the immediate removal of the manipulated DNS information. The key to fighting DNS poisoning is limiting the window of opportunity that a pharming attack has to serve malicious content (be it phishing attacks, Trojan attacks, or click-jacking) to a potential victim. Real-time detection of a pharming attack that is already in progress, combined with the means and capabilities to immediately remediate, can significantly curtail the debilitating impact such an attack may have. page 4
38970 40000 35000 Phishing Attacks per Month 28365 30000 Source: RSA Anti-Fraud Command Center 26907 In November, phishing volume increased 25191 24019 18 percent – with 28,365 unique attacks 25000 23097 22516 detected by RSA. Compared to the same 20000 18079 17586 17376 time last year (November 2010 vs. 17579 17579 16355 November 2011), phishing volume has 15000 increased 69 percent. 10000 5000 0 Nov 10 Dec 10 Jan 11 Feb 11 Mar 11 Apr 11 May 11 Jun 11 Jul 11 Aug 11 Sept 11 Oct 11 Nov 11 400 376 349 351 342 Number of Brands Attacked 350 321 313 301 300 298 Last month, 313 brands were targeted 300 Source: RSA Anti-Fraud Command Center 268 within phishing attacks, marking a five 257 250 236 percent increase. Fifty-five percent of the 200 brands targeted last month endured less 200 than five attacks each. This figure is slightly higher than the 51 percent 150 recorded in October. It appears that an 100 increasing number of brands are enduring less than five attacks per month as 50 phishers look to expand the list of brands 0 added to their target list. Nov 10 Dec 10 Jan 11 Feb 11 Mar 11 Apr 11 May 11 Jun 11 Jul 11 Aug 11 Sept 11 Oct 11 Nov 11 page 5
100 10% 8% 11% 9% 11% 15% 12% 11% 10% 19% 6% 14% 9% US Bank Types Attacked 80 19% 18% 15% 15% 18% 22% 12% 20% 23% 20% 25% 12% 16% Source: RSA Anti-Fraud Command Center The portion of brands targeted in the U.S. credit union sector decreased five percent, 60 while brands targeted with phishing in the regional US banking sector saw a four 40 percent increase. In addition, the portion of phishing attacks against nationwide U.S. banks increased two percent. 20 71% 74% 74% 76% 71% 63% 76% 69% 67% 61% 69% 74% 75% 0 Nov 10 Dec 10 Jan 11 Feb 11 Mar 11 Apr 11 May 11 Jun 11 Jul 11 Aug 11 Sept 11 Oct 11 Nov 11 Netherlands 1% Australia 1% a Australia South Korea Canada China Colombia 1% Germany UK France Nethe India 2% Top Countries by Attack Volume In September 2011, the UK overtook the Brazil 3% 37 Other Countries 3% U.S.’s ostensibly perpetual position as the country that endured the highest volumes Canada 6% United Kingdom 51% of phishing attacks each month. In November, the UK remains the country that South Africa 8% has suffered the highest volume of phishing attacks with 51 percent of attacks launched against entities in the UK. The U.S. endured the second highest volume -23 percent - less than half of the attacks experienced by the UK, followed by South Africa (8 percent) and Canada (6 percent). U.S. 23% page 6
South Africa 2% Italy 2% a US S Africa China 2% China Italy Colombia 2% Canada Netherlands India Bras Germany 2% Spain 3% Top Countries by Attacked Brands France 3% Through November, a total of 20 countries U.S. 32% endured one percent or more of the India 4% world’s phishing attacks. Together, the Canada 4% U.S. and UK accounted for 43 percent of the world’s targeted brands, while the Australia 4% brands of eleven additional countries accounted for a total of 35 percent of phishing attacks in November. Brazil 7% United Kingdom 11% 33 Other Countries 21% France 2% USA Australia South Korea Canada Canada 2% China Germany UK France Net Poland 2% Netherlands 2% Brazil 2% Australia 3% Top Hosting Countries Russia 4% In November, the US hosted 61 percent of the world’s phishing attacks, a seven Germany 4% percent increase from October. Nine of the U.S. 61% top ten hosting countries in November United Kingdom 5% retained their status from October with Poland replacing the Ukraine on that chart. 65 Other Countries 14% page 7
CONTACT US To learn more about how RSA products, services, and solutions help solve your business and IT challenges contact your local representative or authorized reseller – or visit us at www.RSA.com ©2011 EMC Corporation. EMC, RSA, the RSA logo, and FraudAction are trademarks or registered trademarks of EMC Corporation in the U.S. and/or other countries. All other trademarks mentioned are the property of their respective www.rsa.com holders. DEC RPT 1211
You can also read