[REVS] Understanding and Preventing DNS-related Attacks by Phishers

• Previous message: SecuriTeam: "[NT] Fastream NETFile FTP/Web Server HTTP HEAD DoS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 8 Sep 2005 14:07:55 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Understanding and Preventing DNS-related Attacks by Phishers
------------------------------------------------------------------------

SUMMARY

Exploiting well known flaws in DNS services and the way in which host
names are resolved to IP addresses, Phishers have upped the ante in the
cyber war for control of a customer's online identity for financial gain.

A grouping of attack vectors now referred to as "Pharming", affects the
fundamental way in which a customer's computer locates and connects to an
organisations online offering. Enabling the Pharmer to reach wider
audiences with less probability of detection than their Phishing
counterparts, pharming attacks are capable of defeating many of the latest
defensive strategies used customer and online retailer alike.

This paper, extending the original material of "The Phishing Guide",
examines in depth the workings of the name services of which
Internet-based customers are dependent upon, and how they can be exploited
by Pharmers to conduct identity theft and financial fraud on a massive
scale.

DETAILS

Background:
This paper focuses upon a recent group of attack vectors used by criminals
to target an organization's customers for identity theft and financial
fraud. Closely related to Phishing attacks, this new attack manipulates
the ways in which a customer locates and connects to an organization's
named hosts or services through modification of the name lookup process.

The attack vectors, commonly referred to as Pharming, have the ability to
bypass many traditional Phishing attack prevention tools and affect larger
segments of an organizations customer-base.
Given the apparent complexity of this attack vector, this paper seeks to
carefully explain many of the background processes all Internet-based
customers use on a daily basis to connect to an organizations commercial
service, and examines how frailties in them can be exploited by an
attacker to conduct a Pharming attack.

Readers should ensure that they fully understand how traditional Phishing
attacks are
conducted and the defensive strategies that have been adopted in the past
to protect against them. Ideally the reader should be familiar with the
author's previous paper "The Phishing Guide" as several sections of this
paper reference information contained within the earlier whitepaper.

To read more about the guide please visit:
<http://www.ngssoftware.com/papers/ThePharmingGuide.pdf>
http://www.ngssoftware.com/papers/ThePharmingGuide.pdf

ADDITIONAL INFORMATION

The information has been provided by <mailto:nisr@nextgenss.com>
NGSSoftware Insight Security Research .
The original article can be found at:
<http://www.ngssoftware.com/papers/ThePharmingGuide.pdf>
http://www.ngssoftware.com/papers/ThePharmingGuide.pdf

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NT] Fastream NETFile FTP/Web Server HTTP HEAD DoS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

• New whitepaper "The Phishing Guide"
  ... Phishing is the new 21st century crime. ... almost daily basis covering the
  latest organisation to have their customers ... targeted and how many victims succumbed
  to the attack. ... improving email security. ... (Bugtraq)
• [REVS] Multiple Collisions attack on MD5 and other Hashing Algorithms
  ... The following security advisory is sent to the securiteam mailing list, and can be
  found at the SecuriTeam web site: http://www.securiteam.com ... This collision attack might
  someday introduce a weakness in MD5 ... The presented attack can find many real collisions
  which are ... (Securiteam)
• [NEWS] Common DNS Misconfiguration can Lead to "same Site" Scripting
  ... The following security advisory is sent to the securiteam mailing list, and can be
  found at the SecuriTeam web site: http://www.securiteam.com ... attack is trivial, for
  example, from a shared UNIX system, an attacker ... via) a machine that hosts another website,
  ... configurations for domains that host websites that rely on HTTP state ... (Securiteam)
• [NT] Windows 2000/2003 SYN DoS Attack Protection
  ... The following security advisory is sent to the securiteam mailing list, and can be
  found at the SecuriTeam web site: http://www.securiteam.com ... Windows 2000/2003 SYN DoS Attack
  Protection ... The vulnerability resides in the hash table management, ... (Securiteam)
• [NEWS] Cisco Unified Communications Manager SQL Injection
  ... The following security advisory is sent to the securiteam mailing list, and can be
  found at the SecuriTeam web site: http://www.securiteam.com ... Cisco Unified Communications
  Manager is vulnerable to a SQL Injection ... attack in the parameter key of the admin
  and user interface pages. ... Cisco has released free software updates that address this vulnerability.
  ... (Securiteam)