DNS Poisoning, part 2 - PRR Computers, LLC

by Phil Rice
12 years ago

In last week’s post, I began by describing the wondrous Domain Name System (DNS) and how fantastically awesome its contribution to the Internet is, and then closed with some remarks that said it’s been overrun by criminals.

Okay, so I didn’t exactly say that, and it isn’t all despair and hopelessness. But DNS can, indeed, be poisoned. The purpose? To redirect you to a bad website that looks just like a good website.

The whole poisoning process is fairly sophisticated, and is perhaps best illustrated with a metaphor that will be familiar to anyone who has ever watched MI-5 or another spy show / movie. A target under surveillance makes a phone call to order a pizza, but the call is covertly redirected to someone at spy headquarters, who answers the call pretending to be the pizza guy. The spy service then sends an agent over with a pizza, and gains access to the facility.

That’s kind of what happens with DNS poisoning. A mid-level DNS server is asked to look up a non-existent but seemingly legitimate domain name, and while that mid-level DNS server is awaiting a reply, an attacker masqerades as an authoritative answer, injecting their own name+IP record into the database. The “real” reply is never received because the mid-level DNS server thinks it already received its answer. The IP address in question is a server controlled by the attacker(s).

Thereafter, until that record expires, any machine who asks that mid-level DNS server about that domain name receives the IP address of the attacker’s server, which has typically been dressed up to look just like a legitimate destination.

But how, you may ask, does the attacker get anyone to visit that domain name pointing to their server? You’ve plenty of reasons to hate it, but add another: SPAM email.

Here’s a more concrete example: let’s say that you and a lot of other people do their online banking at JUSTABANK.COM. The attacker makes up a subdomain of that second level domain: BANK1ALERTS.JUSTABANK.COM. This subdomain doesn’t actually exist on the bank’s legit servers, but as a customer of theirs you’d probably have no way of knowing that.

The attacker sends a query to a DNS caching server at your Internet provider, asking for the IP address of BANK1ALERTS.JUSTABANK.COM.  Your ISP’s server has never heard of it, so it sends a request to another DNS server up the chain, asking where that name should point. Before your ISP’s server can receive a legitimate reply (which would probably be something along the lines of, “never heard of it”), the attacker – pretending to be that other DNS server – answers the question: that name points to, which is of course the IP address of his own web server. His web server has been dressed up to look just like a JUSTABANK.COM website, complete with logos and similar page formats, etc.

Now the attacker sends out a bunch of spam email messages to recipients at that Internet provider, saying, “Alert! An ACH withdrawal has been attempted from your account at JUSTABANK. Please login to confirm the transaction details for our fraud department.” And there’s a handy link in the email to BANK1ALERTS.JUSTABANK.COM. The email, like the fake website, is dressed up to look as real as possible.

Now at least some of the spam recipients are going to be JUSTABANK customers, and at least some of those are going to want to do their part to report the fraudulent withdrawal from their accounts, so they click on the link. The website looks just like JUSTABANK, and they are asked to login – and enter other personal information to “confirm their identity.” To someone not educated in how phishing works, it all sounds perfectly reasonable.

When the link is clicked on, the victim’s computer asks for DNS info on BANK1ALERTS.JUSTABANK.COM, and ultimately gets its answer from the poisoned DNS server. They are directed to the attacker’s website, which is basically a honeypot for information theft.

The attacker’s website gathers the personal bank info from the victim who got tricked into providing it, then they are redirected to the real bank’s website, where they login and sigh with relief as they see that their accounts are fine. That evening, the attacker uses their private info to access their real bank account and take money. And before the user has noticed it’s gone, the attacker is gone.

That’s not the only kind of scenario that can unfold, it’s one of many.

What is frustrating, you will note, is that this attack had nothing to do with your firewall or your antivirus. Your computer could be completely secure, and this poisoning could still take place. It seems completely out of your control.

So what could be done to avoid this kind of attack?

  • No bank uses email to convey this kind of personal security-related information. So treat any email claiming to be from your bank with at least a little suspicion.
  • Be very careful clicking a link within an email message, whether that message claims to be from your bank, or a friend you trust, or anyone.
  • If you don’t explicitly recognize a URL (website address), try submitting it to Norton Safe Web or PhishTank to check it out. It’s not foolproof, but it can catch a lot of the bad ones without you risking a visit.
Tags: , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *