The cyclical relationship between threat actors and security professionals begins with the creation of a new attack technique, followed by the discovery of that technique by the security community, and then a refashioning of the manner of attack or creation of another novel approach by threat actors.
Phishers are always seeking better ways to entice victims into providing their personal and/or sensitive information, as well as to evade detection by security companies.
Lately, we have observed an uptick in attacks utilizing DNS records for malicious purposes. These attacks fall into two main categories: pharming and wildcard DNS attacks. This post provides examples of these methods and describes in detail how phishers use them in their attacks.
Pharming, also known as DNS poisoning, is an attack where a record for a domain on its name server is compromised, and any request for that domain is directed to a fraudulent IP address. This new address often contains content spoofing the domain that was originally requested, in order to steal credentials or personal information used for accessing that site.
Wildcard DNS attacks involve inserting a wildcard character into a DNS record (either on a compromised or malicious domain) in order to route traffic to fraudulent content, in a way that is very difficult to block.
Download the PhishLabs 2017 Phishing Trends & Intelligence Report to understand how the landscape today is astoundingly different than it was at the start of 2016. The data revealsa profound shift in whois targeted by phishing attacks and why.
Pharming/DNS Poisoning Attacks
Pharming, also known as DNS poisoning, is an attack where a record for a domain on its name server is compromised, and any request for that domain is directed to a fraudulent IP address. This new address often contains content spoofing the domain that was originally requested, in order to steal credentials or personal information used for accessing that site.
In July 2016, Sucuri detailed a pharming attack where a threat actor targeted the FreeDNS service. Recently, we investigated a separate pharming attack by the same actor, that routes all requests through an infected DNS server to spam content. When any DNS request is made through the malicious DNS server, they are routed to a randomized spam site.
What made this attack unique was that it did not appear to involve compromising an existing DNS server, but instead involved an intentionally malicious DNS server resolving requests within a large DNS service.
The threat actor responsible for these attacks has registered more than 800 domains, all registeredunder the same email address and phone number, that currently redirect to spam sites when visited in a browser. Many of these domain names are spoofing popular hosting and DNS providers in order to provide a sense of legitimacy:
E xamples of look-alike domains mimicking hosting providers and DNS services
One of the malicious DNS servers linked to this threat actor, vsecuredns.com is currently being used in this pharming attack, routing any request it receives to a spam site. The target site can be changed or customized as long as the malicious actor maintains access to the DNS server, which means a victim could be routed to an endpoint spoofing their bank for phishing purposes, delivering targeted malware, or a site that is infected with an exploit kit.
VsecureDNS.com also has a wildcard character in its own DNS records, which helps capture any traffic sent to it and routes that traffic to one of the spam target sites:
Example dig request to show the malicious domain acting as nameserver
It appears that any end-user who was using the DNS service could have been affected by this attack. At the time of this writing, the DNS provider had been contacted for mitigation and their resolvers have been fixed. However, specific requests through the malicious DNS server can still be resolved to the spam content.
Wildcard DNS AttacksWildcard DNS attacks involve inserting a wildcard character into a DNS record (either on a compromised or malicious domain) to route traffic to fraudulent content, in a way that is very difficult to block.
Wildcard DNS attacks provide advantages to the threat actor in both the areas of data collection and security evasion. Wildcard URL parameters have long been utilized in phishing attacks to track campaigns, customize the user experience, and even exfiltrate data. The continued use of wildcard DNS attacks and our examination of these techniques have shown this methodology continues to provide phishers with a successful tactic for deploying and concealing phishing campaigns.
A wildcard character in a DNS record will resolve all requests that are not already matched by another record (i.e. a pre-established legitimate subdomain) and route the traffic to the chosen IP address. Access to a site's DNS record can be compromised in a multitude of ways.
Performing a little reconnaissance on the target allows the attacker to easily determine the responsible hosting and/or DNS providers for most sites on the clear web. Hosting providers typically provide instructions on their company website for accessing the administration login panel or editing DNS records for sites that they host. These instructions are meant to assist customers, but can also help an attacker get into the administration panel for a site through brute force, dictionary, password reuse, or even phishing attacks targeted against the site owner or hosting company. Many site owners have cPanel configured on ports 2082 or 2083. Knowing these commonly used ports, a potential attacker may attempt to access this location and then log in through this interface using a brute force attack or default credentials. More rarely, threat actors can compromise an entire DNS server. This would involve compromising the admin credentials or server of the DNS or hosting provider themselves, and accessing the records for the target site(s). Some attackers will even go so far as to maliciously register domains and set up wildcard DNS on their own domain to take advantage of the benefits of this type of attack (as wa