Phishers Use Wildcard DNS to Build Convincing Bait URLs

Phishing operations have begun using DNS wildcards and URL encoding to create email links that display the URLs of legitimate banking sites, but send victims to spoof sites designed to steal their login details. A wildcard DNS record (*.example.com) will resolve all requests that are not matched by any other record. Wildcards are typically used to manage errant or mistyped e-mail addresses, but have been routinely abused by spammers.

In recent weeks wildcard DNS settings have been used in a wave of phishing attacks on Barclays Bank, in which the "bait" email included URLs starting with barclays.co.uk, followed by a lengthy sequence of letters and symbols. Several examples:


http://barclays.co.uk|snc9d8ynusktl2wpqxzn1anes89gi8z.dvdlinKs.at/pgcgc3p/


http://barclays.co.uk|YJ3EMOHOqljQ8J5oW2ZKyTaRMQOahSWaxTrFTEQK9l9VVQj6jDtyq10d24r2h0bijh2


http://barclays.co.uk|34fdcb4rvdnp9phxbahhvbs6l56a2uyx%2edivxmovies%2ea%74/41pvaw3/

The phishers use a wildcard DNS setting at a third-party redirection service (kickme.to) to construct the URLS. The wildcard allows the display of URLs beginning with "barclays.co.uk," which is followed by a portion of the URL which is encoded to obscure the actual destination domain.

The redirector at kickme.to/has.it forwards to a Barclays spoof site hosted at Pochta.ru in Moscow. The spoof loads a page from the actual Barclays site, and then launches a data collection form in a pop-up window from the Russian server:

Barclays Spoof Site

Barclays is aware of the fraud and has posted a warning to customers on its web home page. Some of the URLs function only in selected browsers. For example, the URLs using the pipe character will resolve on Windows XP, but not Linux. Windows XP browsers support a broader character set to accommodate migrations from Windows NT4, which allows the use of the pipe character in identifying network assets.

Some of the URLs stop working as redirection functions at kickme.to go offline. But the spoofed pages remain online at Pochta's Moscow server, which houses four of the domains hosting scam pages (pisem.net, mail333.ru, mail15.com and from.ru), which are brazenly using the hyphenated "barclays-co-uk" in subdomains:

pochtasites.jpg

The Netcraft Toolbar offers protection against such phishing scams and will prevent access to these phishing URLs. Netcraft also provides a range of other anti-phishing services to banks and financial institutions and a phishing countermeasures service that can offer to close down phishing sites quickly and effectively.