Phishers Turn To DNS Wildcards, Cache Poisoning - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Phishers Turn To DNS Wildcards, Cache Poisoning

Phishers are using ever-more-sophisticated tactics, including DNS wildcards and cache poisoning to separate consumers from their money, a British security firm said Tuesday.

Phishers are using ever-more-sophisticated tactics, including DNS wildcards and DNS cache poisoning--the latter dubbed "pharming"--to separate consumers from their money, a British security firm said Tuesday.

According to Netcraft, criminals are now using DSN wildcards and URL encoding to create e-mail links that appear to be for legitimate sites, but actually send unwary consumers to fake Web sites, where phishers try to steal confidential information, such as bank or credit account numbers.

DNS wildcards--as in "*"--are typically used to guide mistyped or otherwise errant e-mails to their intended destination. In the past, DNS wildcards have been used by spammers, said Netcraft, but now they're showing up in phishers' toolkits.

Barclays Bank, for instance, has been hit by several Phishing attacks that use the wildcards. The spammed messages include a link that begins with the legit "" but is then followed by a long list of letters and symbols that encodes the bogus site's URL.

These wildcard links have been created at a third-party redirection service that then sends the user to the phisher's spoofed site, not the real Barclays URL, as the consumer expects. Once at the spoofed site--which looks like the real deal--the user can be tricked into entering account log-in info, which is then stolen by the hacker.

Not surprisingly, the fake site is hosted in Russia, a hotbed of phishing criminals.

Barclays knows of the trick, and has posted a warning on the front page of its banking site.

"Some customers have been receiving an e-mail claiming to be from Barclays advising them to follow a link to what appears to be a Barclays Web site, where they are prompted to enter their personal Online Banking details. Barclays is in no way involved with this e-mail and the Web site does not belong to us," the warning reads. "Barclays does not send e-mails to customers requesting security or any other confidential information."

Another advanced technique that has seen some use by phishers is DNS cache poisoning, a way to silently redirect users from real sites to spoofed copies, where dangerous spyware is loaded onto their systems. The tactic is sometimes called "pharming."

Last Week's DNS poisoning attack has been traced to a known vulnerability in Symantec's gateway-based security appliances, and allowed hackers to change information on a small number of local DNS servers, said Netcraft, to funnel real requests for major sites like and to three hacker sites.

Symantec's bug was disclosed last June, and patches were issued then. While DNS-related redirects are rare--they're difficult to pull off, said Dan Hubbard, the senior director of security at San Diego-based Websense last week--Netcraft thinks the technique will soon be used by more phishers.

"[Last week's] incident has all the earmarks of a proof-of-concept," said Netcraft in its online alert. "New strategies are of interest to phishers, whose task has been complicated by growing vigilance by banks and their customers, as well as the emergence of defensive tools. Scammers are quick at layering new techniques atop existing spoofs and social-engineering tactics."

Netcraft offers a free toolbar that installs in Microsoft's Internet Explorer browser. It traps suspicious URLs using encoded characters, displaying the hosting location so that users can, for instance, easily see that what they thought was their U.S.-based bank is somehow being hosted out of China.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
Data Science: How the Pandemic Has Affected 10 Popular Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/9/2020
The Growing Security Priority for DevOps and Cloud Migration
Joao-Pierre S. Ruth, Senior Writer,  9/3/2020
Dark Side of AI: How to Make Artificial Intelligence Trustworthy
Guest Commentary, Guest Commentary,  9/15/2020
Register for InformationWeek Newsletters
Current Issue
IT Automation Transforms Network Management
In this special report we will examine the layers of automation and orchestration in IT operations, and how they can provide high availability and greater scale for modern applications and business demands.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll