Below is a summary of RSA’s December Online Fraud Report:
November saw DNS Poisoning, aka Pharming, making the headlines on more than one occasion: To name a few, the online threat showcased in the high-profile hijacking of several Brazilian ISPs’ DNS servers; an incident that resulted in millions of Brazilian users being infected with a banking Trojan. As well, the FBI arrested half a dozen Estonian based cybercriminals last month in connection with a fraudulent DNS-rerouting scheme that enabled the gang to rake in $14 Million in fraudulent advertising revenue. In view of November’s DNS-related incidents, this month’s highlight sheds light on the Domain Name System (“DNS”), including:
What the DNS system is
How it works
Potential threats as exemplified in recent cases
Prevention and mitigation measures
WHAT IS THE DOMAIN NAME SYSTEM?
The Domain Name System (“DNS”) is a system designed to facilitate locating an internet resource, and can be likened to a phone directory, which ‘resolves’ people’s names to their respective phone numbers. In much the same way, DNS servers resolve web domains (such as http://website.com) to their correct IP addresses (for example, 220.127.116.11).
HOW DOES IT WORK?
The Domain Name System is a distributed, hierarchical system that issues queries from a user’s computer to other domain name servers until the IP address of the requested resource is located. When an online user enters a domain name in a browser’s address bar, for example, http://website.com, the query undergoes the following flow of events:
- The OS queries a local file called Hosts, also known as the Hosts File. (In Windows systems, the file is located here: [LocalDisk]/Windows/system32/drivers/etc.) The Hosts file maps domains, aka “hosts,” to their IP address. (This is relevant to some operating systems, in which a query is first issued to the local Hosts file, before it is issued to external resources.)
- If the IP address of the host is not defined in the Hosts file, the OS queries the user’s local DNS cache. (You can view your local DNS cache by running the command ipconfig /displaydns.)
- If the appropriate IP address is not located in the user’s local DNS cache, the OS issues a query to the ISP’s DNS servers (or the user’s organization’s DNS servers).
- The ISP checks the cache of its own DNS servers, and if the resource for the host is not cached, it then issues a query to the root name servers to find the DNS server responsible for the relevant top level domain (TLD). For example, a query for the domain http://website.com would be forwarded to the .com root name server (which is the authoritative DNS server for .com domains).
- The TLD server locates the authoritative name server for http://website.com, which would normally be configured as ns1.website.com.
- The authoritative name server, ns1.website.com, locates the IP address for http://website.com, and resolves the query.
- The OS queries the IP address of http://website.com, and retrieves its content (the actual website).
POTENTIAL THREATS AS EXEMPLIFIED IN RECENT CASES
Potential threats to the integrity of the DNS query chain include classic pharming, DNS Cache Poisoning, Rogue DNS servers, and local pharming. These threats are explained below, along with relevant cases that made the headlines in November.
- Classic Pharming
- DNS Cache Poisoning
- Rogue DNS Servers
- Local Pharming
PREVENTION AND MITIGATION MEASURES
How can pharming be prevented? A set of specifications, issued as part of a larger industry-wide effort, called the Domain Name System Security Extensions (DNSSEC), consists of specifications that enable authentication of DNS responses, in an effort to improve the reliability of DNS responses and thwart DNS-poisoning efforts. The central idea behind DNSSEC is to enable DNS query responses to be authenticated using a digital signature. A digitally signed DNS query enables a user to verify whether the information received in response to a DNS query matches the information served by the authoritative DNS server for that domain, ensuring that the DNS response is correct and complete.
How can a pharming attack be mitigated once launched? An outsourced solution, such as the RSA Fraud Action Anti-Pharming Service, is designed to handle DNS poisoning attacks from the detection phase to the threat’s complete shutdown. To detect pharming on a particular entity’s website, RSA deploys dedicated servers that actively monitor the Internet in search for poisoned DNS servers.
Phishing Attacks per Month
In November, phishing volume increased 18 percent – with 28,365 unique attacks detected by RSA. Compared to the same time last year (November 2010 vs. November 2011), phishing volume has increased 69%.
Number of Brands Attacked
Last month, 313 brands were targeted within phishing attacks, marking a five percent increase. F55% of the brands targeted last month endured less than five attacks each. This figure is slightly higher than the 51% recorded in October. It appears that an increasing number of brands are enduring less than five attacks per month as phishers look to expand the list of brands added to their target list.
US Bank Types Attacked
The portion of brands targeted in the U.S. credit union sector decreased five percent, while brands targeted with phishing in the regional US banking sector saw a four percent increase. In addition, the portion of phishing attacks against nationwide U.S. banks increased two percent.
Top Countries by Attack Volume
In September 2011, the UK overtook the U.S.’s ostensibly perpetual position as the country that endured the highest volumes of phishing attacks each month. In November, the UK remains the country that has suffered the highest volume of phishing attacks with 51% of attacks launched against entities in the UK.
The U.S. endured the second highest volume, 23%, less than half of the attacks experienced by the UK, followed by South Africa (8%) and Canada (6%).
Top Countries by Attacked Brands
Through November, a total of 20 countries endured one percent or more of the world’s phishing attacks. Together, the U.S. and UK accounted for 43% of the world’s targeted brands, while the brands of eleven additional countries accounted for a total of 35% of phishing attacks in November.
Top Hosting Countries
In November, the US hosted 61% of the world’s phishing attacks, a seven percent increase from October. Nine of the top ten hosting countries in November retained their status from October with Poland replacing the Ukraine on that chart.
The RSA November Online Fraud Report Summary is here.
The RSA October Online Fraud Report Summary is here.
The RSA September Online Fraud Report Summary is here.