A Consultant's View

Prairie Trail Software, Inc. ............................................................. January 2008

New Phishing Lures

While many phishing lures are working quite successfully today, the ever capitalistic criminals are working on the next level of attack. At present, this is not a big worry, but people are taking notice of the NEW technique(s), so we thought we would talk about them too.

The current phishing lure is usually a bogus email that requests you resend your vital personal information to the bank (usually because the world will come to an end if you don't). The email provides a link to a phony web site.

The problem for the criminals is that too many of us have figured out their scheme. So, time for a new lure.

Part of web surfing involves sending a request for the actual address (IP) of a domain. This translation is done via a domain name server (DNS). So, if you want to go to "www.prairietrail.com", your DNS server will send you to "66.39.25.39".

The new, and deliciously malicious, phishing technique is to make you use another DNS server that will route you to the wrong addresses.

So, how will/does it work? Instead of luring you with an email, they entice you to visit a website. At the web site they hope to give you a bit of malicious code. Any site will do. So, although Adam and Eve might avoid a sight about golden delicious apples, they still might surf to a web site on organic gardening. That code goes into the Windows registry and silently changes the value that tells your computer how to send requests to your proper DNS server (very sneaky, eh?). After that, all your surfing is controlled by another DNS server. You've taken the bait hook line and sinker.

The bogus server will probably give you the proper addresses for most of your surfing (like to prairietrail.com), but when you decide to go to a banking web site... You might never know that the bank's address had been corrupted as you enter your banking information.

But it won't stop there. The second wave of capitalistic criminals will not be content just to steal your money. They will likely start replacing other website addresses with the obligatory pop up ad, pornography, or whatever suites their folly. (Have you ever had some joker change the auto spell correction in MS word? Yeah, like that, only worse.)

Eventually anti-virus software will monitor the values in the registry, there will be lists of deceptive DNS servers, and protection software will validate what you use with that list. The good news is that currently only 0.4% of DNS servers respond with bad information, 2% are questionable, and most people don't use those systems anyway; instead, most of us use our ISP's DNS servers.

At present, this new and improved lure does not appear to be a major problem, but as the current lure was not a big problem five years ago, we should look for ways to prevent, avoid, and discourage the new lure in the near future.