DNS cache poisoning injects false information into DNS servers, which route Internet traffic by matching domain names with IP addresses at web hosts, allowing hackers to redirect users to bogus web sites. In Saturday's attack, a known vulnerability in Symantec firewalls was exploited to change information on a small number of local DNS servers, sending requests for Google.com, eBay.com and Weather.com to a trio of hacker sites (7sir7.com, 123xxl.com and abx4.com) that attempted to install spyware on vistors' computers.
Successful DNS poisoning attacks are rare, but could allow malicious web sites to spoof trusted web brands. Pharming attacks could use DNS cache poisoning to redirect requests from legitimate financial sites to look-alike fraud sites. New strategies are of interest to phishers, whose task has been complicated by growing vigilance by banks and their customers, as well as the emergence of defensive tools, especially the Netcraft Toolbar.
The Anti-Phishing Working Group recently expanded its focus to address concerns about pharming. In recent weeks, security professionals have warned of the potential for DNS-based pharming attacks in interviews with eWeek, C/Net and The Register - while acknowledging that no such attacks have yet been seen.
That may not remain true for long. Saturday's incident has all the earmarks of a proof-of-concept, and phishing scams are quick at layering new techniques atop existing spoofs and social-engineering tactics.
The Netcraft Toolbar offers additional protection against DNS poisoning by displaying the true location of a web site. For example, if your local DNS cache was poisoned such that the US Bank web site (http://www.usbank.com) pointed to an IP address located in Russia, then the toolbar would report the site as being located in Russia.