The PhishLabs Blog

Phishing with Wildcard DNS Attacks and Pharming

Posted by Eris Maelstrom on Mar 3, '17

The cyclical relationship between threat actors and security professionals begins with the creation of a new attack technique, followed by the discovery of that technique by the security community, and then a refashioning of the manner of attack or creation of another novel approach by threat actors. 

Phishers are always seeking better ways to entice victims into providing their personal and/or sensitive information, as well as to evade detection by security companies. 

Lately, we have observed an uptick in attacks utilizing  DNS records for malicious purposes. These attacks fall into two main categories: pharming and wildcard DNS attacks. This post provides examples of these methods and describes in detail how phishers use them in their attacks.

Pharming, also known as DNS poisoning, is an attack where a record for a domain on its name server is compromised, and any request for that domain is directed to a fraudulent IP address. This new address often contains content spoofing the domain that was originally requested, in order to steal credentials or personal information used for accessing that site.

Wildcard DNS attacks involve inserting a wildcard character into a DNS record (either on a compromised or malicious domain) in order to route traffic to fraudulent content, in a way that is very difficult to block.


Download the PhishLabs 2017 Phishing Trends & Intelligence Report to understand how the landscape today is astoundingly different than it was at the start of 2016. The data reveals a profound shift in who is targeted by phishing attacks and why. 

Download Report


Pharming/DNS Poisoning Attacks

Pharming, also known as DNS poisoning, is an attack where a record for a domain on its name server is compromised, and any request for that domain is directed to a fraudulent IP address. This new address often contains content spoofing the domain that was originally requested, in order to steal credentials or personal information used for accessing that site.

In July 2016, Sucuri detailed a pharming attack where a threat actor targeted the FreeDNS service. Recently, we investigated a separate pharming attack by the same actor, that routes all requests through an infected DNS server to spam content. When any DNS request is made through the malicious DNS server, they are routed to a randomized spam site.

What made this attack unique was that it did not appear to involve compromising an existing DNS server, but instead involved an intentionally malicious DNS server resolving requests within a large DNS service.

The threat actor responsible for these attacks has registered more than 800 domains, all registered under the same email address and phone number, that currently redirect to spam  sites  when visited in a browser. Many of these domain names are spoofing popular hosting and DNS providers in order to provide a sense of legitimacy:

Examples of look-alike domains mimicking hosting providers and DNS services

 Examples of look-alike domains mimicking hosting providers and DNS services1.pngExamples of look-alike domains mimicking hosting providers and DNS services2.pngExamples of look-alike domains mimicking hosting providers and DNS services3.png

One of the malicious DNS servers linked to this threat actor, vsecuredns.com is currently being used in this pharming attack, routing any request it receives to a spam  site . The target site can be changed or customized as long as the malicious actor maintains access to the DNS server, which means a victim could be routed to an endpoint spoofing their bank for phishing purposes, delivering targeted malware, or a site that is infected with an exploit kit.

VsecureDNS.com also has a wildcard character in its own DNS records, which helps capture any traffic sent to it and routes that traffic to one of the spam target sites: 

Example dig request to show the malicious domain acting as nameserver

Examples of look-alike domains mimicking hosting providers and DNS services4.png

It appears that any end-user who was using the DNS service could have been affected by this attack. At the time of this writing, the DNS provider had been contacted for mitigation and their resolvers have been fixed. However, specific requests through the malicious DNS server can still be resolved to the spam content.  

Wildcard DNS Attacks

Wildcard DNS attacks involve inserting a wildcard character into a DNS record (either on a compromised or malicious domain) to route traffic to fraudulent content, in a way that is very difficult to block.

Wildcard DNS attacks provide advantages to the threat actor in both the areas of data collection and security evasion. Wildcard URL parameters have long been utilized in phishing attacks to track campaigns, customize the user experience, and even exfiltrate data. The continued use of wildcard DNS attacks and our examination of these techniques have shown this methodology continues to provide phishers with a successful tactic for deploying and concealing phishing campaigns. 

A wildcard character in a DNS record will resolve all requests that are not already matched by another record (i.e. a pre-established legitimate subdomain) and route the traffic to the chosen IP address. Access to a site's DNS record can be compromised in a multitude of ways.

  • Performing a little reconnaissance on the target allows the attacker to easily determine the responsible hosting and/or DNS providers for most sites on the clear web. Hosting providers typically provide instructions on their company website for accessing the administration login panel or editing DNS records for sites that they host. These instructions are meant to assist customers, but can also help an attacker get into the administration panel for a site through brute force, dictionary, password reuse, or even phishing attacks targeted against the site owner or hosting company.
  • Many site owners have cPanel configured on ports 2082 or 2083. Knowing these commonly used ports, a potential attacker may attempt to access this location and then log in through this interface using a brute force attack or default credentials.
  • More rarely, threat actors can compromise an entire DNS server. This would involve compromising the admin credentials or server of the DNS or hosting provider themselves, and accessing the records for the target site(s). Some attackers will even go so far as to maliciously register domains and set up wildcard DNS on their own domain to take advantage of the benefits of this type of attack (as was seen in the pharming example above).

Once the attacker can edit the DNS records, they input a wildcard (*) character into the “CNAME” DNS record of the site. This allows them to point any generated subdomains to the “A” DNS record of wherever the phishing content is hosted, whether it is on the same IP address (hosted with the target site content), or elsewhere (typically on another compromised site's web server).

The phisher can then deploy their campaign. Using randomized subdomains, they will spam out multiple versions of the same phishing site to their potential victims. This is advantageous as many filters which block based on hostname information will include a subdomain (even if it's just “www”). In such a case, there is potential for the phishing email to bypass filtering even if the root domain has been blacklisted as each subdomain received will be unique and will appear to be separate hosts to the filter. It would be impossible to block all  the phishing URLs without utilizing a wildcard in the firewall or spam filter signatures themselves.

The advantage to this type of attack is that the URL effectively acts as a redirect. Mitigating the phishing URLs that are sent in the initial lures is less likely to lead to the removal of the phishing content itself as it is hosted elsewhere. This creates a problem for the attacked root domain's hosting provider as they may receive multiple abuse complaints, but may not be able to see any malicious content on their client's server. If the compromised DNS isn't noted to them specifically, they may never even review that aspect of the site's configuration.

This confusion creates persistence for the phishing campaign. The DNS wildcard, as well as the phishing content located on another server, can remain intact perpetually. If one element is corrected, the phisher can modify the attack to work with the remaining element, decreasing the amount of work required to keep the campaign running and often resulting in them not even having to change the domains in use. If the DNS record is corrected but the compromised entry point credentials are not changed, it is easy for the phisher to log back in and reset their own configuration. If the attacker maintains control of the compromised DNS record and the phishing content is removed elsewhere, they can easily modify the DNS to point to a different compromised server hosting the same phishing content. Alternatively, they can use other methods of persistence on the phishing content hosting site, such as a PHP backdoor shell, to re-upload the fraudulent content on the original server, should it be removed.

Wildcard DNS phishing campaigns can typically be identified by noting unusual strings of alphanumeric characters in the subdomain of the URL:

http://fe9ehgr90ehgru.example.com/phishingpage.html

Regardless of how the subdomain is modified by a user, the URL will continue to point to the phishing content and display it in the user's browser. For example,

http://WILDCARD.example.com/phishingpage.html

will display same content as the URL with the random alphanumeric subdomain, as will the following:

http://THISISASUBDOMAIN.example.com/phishingpage.html

When an address lookup is performed on the domain plus the subdomain (i.e. WILDCARD.example.com; fe9ehgr90ehgru.example.com), you may get a different IP address than if you perform a lookup on the root domain itself (e.g. example.com). This would indicate that the content pointed to by the DNS records is hosted on a different server than the compromised root domain and would require different network-based indicators on any filters or firewalls.

Attackers sometimes utilize a wildcard in both the phishing redirect URLs and the phishing site URLs in the same campaigns:

http://WILDCARD.example.com/phishingredirect.php

> redirects to > 

http://WILDCARD.example.org/phishingpage.html

Sometimes, a phisher will include a parameter at the end of the phishing redirect URL that creates the subdomain on the target phishing site:

http://WILDCARD.example.com/phishingredirect.php?s=WILDCARDSUBDOMAIN

> redirects to > 

http://WILDCARDSUBDOMAIN.example.org/phishingpage.html

In some cases, these phishing redirects won't route the visitor at all if the ending query is not provided, making the URL seem benign to automated website crawlers.

It can very quickly become cumbersome to manage filtering on a URL or hostname basis as the permutations of the phishing URLs and their wildcards can grow exponentially with each generation and victim. Additionally, services like Google Safe Browsing can't possibly block all of these URLs as sometimes there is a new one generated for each user session or cookie creation.

Conclusion

While you can see why these would be lucrative threat tactics used by attackers, companies can take the following steps to ensure that their employees are protected from these types of phishing attacks: 

  • Audit your site's authoritative DNS records on a periodic basis to ensure no anomalies in how the requests are being routed exist. This can be done using a variety of command line tools (e.g. nslookup, dig, host)
  • Enforce policies which require that hosts on your network utilize a trusted entity for DNS service.
  • When blocking known blacklisted domains, include all potential subdomains by using a wildcard character yourself, even if enumeration makes it appear as if no subdomains currently exist.
  • Be wary of any URLs containing random alphanumeric characters in the subdomain space.
  • Note the IP address of the root domain (where the compromised DNS record exists) and of any phishing subdomains (where the fraudulent content is hosted) as these can be on different networks altogether, particularly if you are configuring filtering on network-based information.

It is important that companies employ analysts and mitigation experts who are well versed in all forms of attack, such as wildcard DNS and pharming attacks. PhishLabs' Security Operations Center, as well as our Research, Analysis, and Intelligence Division (RAID), are masters in understanding the evasion techniques employed by modern threat actors. Reach out to us today to see how we can fit into your organization's overall security plan. 

Topics: Pharming, R.A.I.D., DNS

    

What's this all about?

The PhishLabs Blog is where we share our insights and thoughts on cybercrime and online fraud.

Upcoming Events

Calendar_Mock_