B.I.S.S. Forums > Phishers Use Wildcard DNS to Build Convincing Bait

Full Version: Phishers Use Wildcard DNS to Build Convincing Bait

B.I.S.S. Forums > Bluetack Forums > Global News

doggfather

Mar 8 2005, 05:49 PM

Pasted from: http://news.netcraft.com/archives/2005/03/..._bait_urls.html

Phishing operations have begun using DNS wildcards and URL encoding to create email links that display the URLs of legitimate banking sites, but send victims to spoof sites designed to steal their login details. A wildcard DNS record (*.example.com) will resolve all requests that are not matched by any other record. Wildcards are typically used to manage errant or mistyped e-mail addresses, but have been routinely abused by spammers.

In recent weeks wildcard DNS settings have been used in a wave of phishing attacks on Barclays Bank, in which the "bait" email included URLs starting with barclays.co.uk, followed by a lengthy sequence of letters and symbols. Several examples:

http://barclays.co.uk|snc9d8ynusktl2wpqxzn...nKs.at/pgcgc3p/
http://barclays.co.uk|YJ3EMOHOqljQ8J5oW2ZK...q10d24r2h0bijh2
http://barclays.co.uk|34fdcb4rvdnp9phxbahh...2ea%74/41pvaw3/

The phishers use a wildcard DNS setting at a third-party redirection service (kickme.to) to construct the URLS. The wildcard allows the display of URLs beginning with "barclays.co.uk," which is followed by a portion of the URL which is encoded to obscure the actual destination domain.

The redirector at kickme.to/has.it forwards to a Barclays spoof site hosted at Pochta.ru in Moscow. The spoof loads a page from the actual Barclays site, and then launches a data collection form in a pop-up window from the Russian server.

Barclays is aware of the fraud and has posted a warning to customers on its web home page. Some of the URLs function only in selected browsers. For example, the URLs using the pipe character will resolve on Windows XP, but not Linux. Windows XP browsers support a broader character set to accommodate migrations from Windows NT4, which allows the use of the pipe character in identifying network assets.

Some of the URLs stop working as redirection functions at kickme.to go offline. But the spoofed pages remain online at Pochta's Moscow server, which houses four of the domains hosting scam pages (pisem.net, mail333.ru, mail15.com and from.ru), which are brazenly using the hyphenated "barclays-co-uk" in subdomains.

-------------------------------------------------------------------------------------------------
inetnum: 81.211.64.0 - 81.211.64.127
netname: SOVINTEL-RBC-NET
descr: Moscow Russia
descr: Pochta.ru network
country: RU
admin-c: PN1109-RIPE
tech-c: PN1109-RIPE
status: ASSIGNED PA
mnt-by: SOVINTEL-MNT
notify: ncc@sovintel.ru
notify: noc@rbc.ru
changed: maslov@sovintel.ru 20040826
source: RIPE
--------------------------------------------------------------------------------------------------
I got some extra 2 domains than netcraft

pisem.net
IP Addresses: 81.211.64.20
IP Country: RUSSIAN FEDERATION
Reverse IP Lookup: IP hosts 6 domains

Hosting Company Name:Pochta.ru

81.211.64.20 - IP hosts 6 Total Domains ...
Showing 1 - 6 out of 6

Domain Name
1 FROMRU.COM.
2 KROVATKA.NET.
3 MAIL15.COM.
4 MAIL333.COM.
5 PISEM.NET.
6 POCHTA.INFO.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.