DNS POISONING, AKA PHARMING, MAKES THE HEADLINES IN NOVEMBER S NEWS

DNS POISONING, AKA PHARMING, MAKES THE HEADLINES IN NOVEMBER S NEWS December 2011 November saw DNS Poisoning, aka Pharming, making the headlines on more than one occasion: To name a few, the online threat showcased in the high-profile hijacking of several Brazilian ISPs DNS servers; an incident that resulted in millions of Brazilian users being infected with a banking Trojan. As well, the FBI arrested half a dozen Estonianbased cybercriminals last month in connection with a fraudulent DNS-rerouting scheme that enabled the gang to rake in $14 Million in fraudulent advertising revenue. In view of November s DNS-related incidents, this month s highlight sheds light on the Domain Name System ( DNS ), including: What the DNS system Is How it works Potential threats as exemplified in recent cases Prevention and mitigation measures WHAT IS THE DOMAIN NAME SYSTEM? The Domain Name System ( DNS ) is a system designed to facilitate locating an internet resource, and can be likened to a phone directory, which resolves people s names to their respective phone numbers. In much the same way, DNS servers resolve web domains (such as http://website.com) to their correct IP addresses (for example, 12.123.3.1). HOW DOES IT WORK? The Domain Name System is a distributed, hierarchical system that issues queries from a user s computer to other domain name servers until the IP address of the requested resource is located. When an online user enters a domain name in a browser s address bar, for example, http://website.com, the query undergoes the following flow of events: FRAUD REPORT

1. The OS queries a local file called Hosts, also known as the Hosts File. (In Windows systems, the file is located here: [LocalDisk]/Windows/system32/drivers/etc.) The Hosts file maps domains, aka hosts, to their IP address. (This is relevant to some operating systems, in which a query is first issued to the local Hosts file, before it is issued to external resources.) 2. If the IP address of the host is not defined in the Hosts file, the OS queries the user s local DNS cache. (You can view your local DNS cache by running the command ipconfig /displaydns.) 3. If the appropriate IP address is not located in the user s local DNS cache, the OS issues a query to the ISP s DNS servers (or the user s organization s DNS servers). 4. The ISP checks the cache of its own DNS servers, and if the resource for the host is not cached, it then issues a query to the root name servers to find the DNS server responsible for the relevant top level domain (TLD). For example, a query for the domain http://website.com would be forwarded to the.com root name server (which is the authoritative DNS server for.com domains). 5. The TLD server locates the authoritative name server for http://website.com, which would normally be configured as ns1.website.com. 6. The authoritative name server, ns1.website.com, locates the IP address for http://website.com, and resolves the query. 7. The OS queries the IP address of http://website.com, and retrieves its content (the actual website). POTENTIAL THREATS AS EXEMPLIFIED IN RECENT CASES Potential threats to the integrity of the DNS query chain include classic pharming, DNS Cache Poisoning, Rogue DNS servers, and local pharming. These threats are explained below, along with relevant cases that made the headlines in November. Classic Pharming Classic pharming consists of the deliberate manipulation of DNS records with the objective of providing an incorrect IP address for a given domain query. For example, instead of resolving https://abc-bank.com to 1.23.123.1, a poisoned DNS record would return an incorrect IP address such as 3.21.31.2. The false IP address returned to an online user could harbor a wide range of fraudulent content, including anything from a phishing attack that mimics the genuine website to a Trojan infection point containing a drive-by-download. DNS Cache Poisoning Earlier last month, cybercriminals reportedly hacked the cache of DNS servers belonging to several major ISPs in Brazil, changing the ISP s DNS cache records for high-traffic websites, such as Google Brazil, YouTube, Gmail, Hotmail and several large Brazilian Internet portals like Uol, Terra or Globo. A DNS server s cache functions as a storage area for responses received in previous DNS queries. DNS caches are employed with the objective of resolving DNS queries faster; improving users browsing experience by saving the time it takes to meander a query through all the relevant DNS servers until the appropriate IP address is returned. When trying to access the high-profile websites mentioned above from one of the affected ISPs, users were redirected to a website that forced them to download a banker Trojan (possibly one of the numerous variants of the Brazilian Baker Trojan), which masqueraded as a small, innocuous Java applet (a small Java application). Given that Brazil has over 70 million internet users, and that each ISP in the country serves at least 3 million subscribers, targeted financial institutions were likely heavily page 2

impacted by the DNS cache poisoning attack. The confidentiality of millions of online banking accounts was jeopardized as Banker Trojans easily collect usernames and passwords (either via keylogging, or the logging of all HTTP and HTTPS communications). The breach of the DNS servers cache may have resulted from inherent software vulnerabilities or from the criminal actions of a server administrator, who may have exploited his/her access to these servers to manipulate the servers cached responses. Such was the case that made headlines in early November, when an employee of a Brazilian ISP was arrested by the Brazilian Federal Police for continuously manipulating the ISP s DNS cache results over a 10-month period. The DNS cache poisoning in this incident resulted in the redirection of the ISP s subscribers to phishing attacks. Rogue DNS Servers Also in early November, the FBI announced that a fraud scheme involving the manipulation of users DNS settings resulted in a cybercrime gang s raking in $14 million in revenue, which the gang generated by earning commissions on clicks made by users on ads for which they acted as publishers. To get users to click on ads for which the cybercriminals would be paid commission, the gang rerouted search engine results to websites that featured revenue-generating ads (for which they acted as publishers). Plus, the crime ring replaced legitimate online ads with different ads for which they could once again earn commission. To accomplish their fraudulent feats, the gang manipulated users DNS settings by launching an infection campaign that compromised machines with a piece of malware called DNSChanger. The malware effected a change on users local DNS settings, rerouting their machines DNS queries to rogue DNS servers under the gang s control. This means that instead of querying their ISP s legitimate DNS servers, victims who downloaded DNSChanger constantly queried the gang s rogue DNS server, which served bogus search engine results and fraudulently-replaced ads on legitimate websites. Rerouting hyperlinks that came up on search engine results enabled the gang to generate revenue by leading them to a different webpage than the one indicated by the hyperlink, which contained advertisements purportedly related to a product they sought. Subsequent clicks by users on those ads generated commissions for the gang. This scheme is known as Click Hijacking or click-jacking. Another revenue-generating scheme deployed by the gang involved advertising replacement fraud. As stated by the FBI, Using the DNS Changer malware and rogue DNS servers, the defendants also replaced legitimate advertisements on websites with substituted advertisements that triggered payments to the gang. Local Pharming While not directly involving DNS servers, local pharming comprises another form of IP-resolution fraud. In some operating systems, hosts files are given priority over resolution by DNS systems. In such systems, if a given host (web domain) is located in the hosts file, no DNS query is performed to resolve its IP address, but rather the IP specified in the hosts file is used. Consequently, by changing the IP address associated with the host name (domain) of an entity, Local Pharming Trojans redirect victims to various fraudulent webpages, which may in turn serve malicious content ranging from phishing attacks to Trojan infection points and click-jacking schemes. Local pharming is especially popular among variants of the Brazilian Banker Trojan. PREVENTION AND MITIGATION MEASURES How can pharming be prevented? A set of specifications, issued as part of a larger industry-wide effort, called the Domain Name System Security Extensions (DNSSEC), consists of specifications that enable authentication of DNS responses, in an effort to improve the reliability of DNS responses and thwart DNS-poisoning efforts. The central idea behind DNSSEC is to enable DNS query responses to be authenticated using a page 3

digital signature. A digitally signed DNS query enables a user to verify whether the information received in response to a DNS query matches the information served by the authoritative DNS server for that domain, ensuring that the DNS response is correct and complete. How can a pharming attack be mitigated once launched? An outsourced solution, such as the RSA FraudAction Anti-Pharming Service, is designed to handle DNS poisoning attacks from the detection phase to the threat s complete shutdown. To detect pharming on a particular entity s website, RSA deploys dedicated servers that actively monitor the Internet in search for poisoned DNS servers. As illustrated below (and mentioned above), pharming, including local pharming, may be launched from four different points in the DNS query chain: The user s Hosts File (local pharming) The ISP s DNS server The Root Name Server The Authoritative Name Server As large scale attacks may be launched from the latter three points (ISPs DNS Server, the Root Name Server, and a domain s Authoritative Name Server), that is where mitigation solutions focus their monitoring and detection efforts. The FraudAction Anti-Pharming Service is focused on points 2, 3 and 4 (excluding the user s own PC), focusing on where the majority of large scale attacks can take place (see figure below). RSA FraudAction Anti-Pharming 1-4 represent the DNS hierarchy 1 Real-time Scanning User PC host file DNS bypass 2 3 4 ISP DNS Root DNS server Bank/authoritative DNS server Bank s web server (As a side note, local pharming attacks, which are the product of Local Pharming Trojans, are detected, monitored, blocked and shut down using a different methodology. The RSA FraudAction Anti-Trojan Service detects and handles Local Pharming Trojans on a regular basis.) To detect pharming on a given set of domain names, the website domains of a specific organization for example, a system is set up to continuously query the above points of the DNS query chain. The system verifies the validity of the name server and IP-address responses to DNS queries on an organization s domains. In addition, the system scans select ISP DNS servers to ensure that their cached data has not been poisoned at any point in time. If an attack is detected and confirmed, the spoofed website is taken down, and the owner of the poisoned DNS server is contacted to enable the immediate removal of the manipulated DNS information. The key to fighting DNS poisoning is limiting the window of opportunity that a pharming attack has to serve malicious content (be it phishing attacks, Trojan attacks, or click-jacking) to a potential victim. Real-time detection of a pharming attack that is already in progress, combined with the means and capabilities to immediately remediate, can significantly curtail the debilitating impact such an attack may have. page 4

40000 38970 Phishing Attacks per Month In November, phishing volume increased 18 percent with 28,365 unique attacks detected by RSA. Compared to the same time last year (November 2010 vs. November 2011), phishing volume has increased 69 percent. 35000 30000 25000 20000 15000 10000 5000 0 17579 17579 Dec 10 Nov 10 16355 Jan 11 18079 Feb 11 17586 17376 Mar 11 Apr 11 23097 May 11 25191 22516 Jul 11 Jun 11 26907 Aug 11 Sept 11 24019 Oct 11 28365 Nov 11 Source: RSA Anti-Fraud Command Center Number of Brands Attacked Last month, 313 brands were targeted within phishing attacks, marking a five percent increase. Fifty-five percent of the brands targeted last month endured less than five attacks each. This figure is slightly higher than the 51 percent recorded in October. It appears that an increasing number of brands are enduring less than five attacks per month as phishers look to expand the list of brands added to their target list. 400 350 300 250 200 150 100 50 0 200 Nov 10 236 Dec 10 257 Jan 11 268 Feb 11 342 Mar 11 301 Apr 11 376 May 11 349 Jun 11 321 Jul 11 351 Aug 11 300 298 Sept 11 Oct 11 313 Nov 11 Source: RSA Anti-Fraud Command Center page 5

100 10% 8% 11% 9% 11% 15% 12% 11% 10% 19% 6% 14% 9% US Bank Types Attacked 80 19% 18% 15% 15% 18% 22% 12% 20% 23% 20% 25% 12% 16% The portion of brands targeted in the U.S. credit union sector decreased five percent, while brands targeted with phishing in the regional US banking sector saw a four percent increase. In addition, the portion of phishing attacks against nationwide U.S. banks increased two percent. 60 40 20 0 71% 74% 74% 76% 71% 63% 76% 69% 67% 61% 69% 74% 75% Source: RSA Anti-Fraud Command Center Nov 11 Oct 11 Sept 11 Aug 11 Jul 11 Jun 11 May 11 Apr 11 Mar 11 Feb 11 Jan 11 Dec 10 Nov 10 Top Countries by Attack Volume In September 2011, the UK overtook the U.S. s ostensibly perpetual position as the country that endured the highest volumes of phishing attacks each month. In November, the UK remains the country that has suffered the highest volume of phishing attacks with 51 percent of attacks launched against entities in the UK. a Australia South Korea Canada Australia 1% India 2% Brazil 3% 37 Other Countries 3% Canada 6% South Africa 8% Netherlands 1% China Colombia 1% Germany UK France United Kingdom 51% Nethe The U.S. endured the second highest volume -23 percent - less than half of the attacks experienced by the UK, followed by South Africa (8 percent) and Canada (6 percent). U.S. 23% page 6

Italy 2% South Africa 2% a US S Africa China 2% China Italy Colombia 2% Canada Netherlands India Bras Germany 2% Spain 3% Top Countries by Attacked Brands Through November, a total of 20 countries endured one percent or more of the world s phishing attacks. Together, the U.S. and UK accounted for 43 percent of the world s targeted brands, while the brands of eleven additional countries accounted for a total of 35 percent of phishing attacks in November. France 3% India 4% Canada 4% Australia 4% Brazil 7% U.S. 32% United Kingdom 11% 33 Other Countries 21% USA Australia South Korea Canada 2% Canada Poland 2% France 2% China Germany Netherlands 2% UK France Net Top Hosting Countries In November, the US hosted 61 percent of the world s phishing attacks, a seven percent increase from October. Nine of the top ten hosting countries in November retained their status from October with Poland replacing the Ukraine on that chart. Brazil 2% Australia 3% Russia 4% Germany 4% United Kingdom 5% U.S. 61% 65 Other Countries 14% page 7

CONTACT US To learn more about how RSA products, services, and solutions help solve your business and IT challenges contact your local representative or authorized reseller or visit us at www.rsa.com www.rsa.com 2011 EMC Corporation. EMC, RSA, the RSA logo, and FraudAction are trademarks or registered trademarks of EMC Corporation in the U.S. and/or other countries. All other trademarks mentioned are the property of their respective holders. DEC RPT 1211