Fraudsters deploy Botnets as DNS Servers to Sustain Phishing Attacks

Botnets controlled by fraudsters are running their own DNS nameservers on compromised computers, complicating the task of shutting down malicious sites. The technique can keep phishing sites accessible longer by making the nameservers a widely distributed moving target amongst thousands of compromised machines within a bot network.

In recent days both the Internet Storm Center and DailyDave mailing list have received reports of botnets using rapidly-shifting DNS servers. The sophisticated new strategy makes it harder to target phishing sites at the nameserver level, which can be the most effective route to taking a malicious site offline. If fraudsters are able to compete effectively by deploying botnets as nameservers, additional emphasis will be placed upon the responsiveness of domain registrars.

To combat phishing Netcraft provides a Toolbar, which operates as a neighbourhood watch system whereby the most experienced members of the community can report and block phishing sites, thereby protecting less experienced users of the Toolbar. ISPs and organizations can block phishing sites at the mail server or proxy server with the Netcraft Phishing Site Feed. The toolbar is available as a free download for users of Internet Explorer, while the phishing site feed is available as a paid for service (contact us for details).

Bot networks aggregate computers that have been compromised allowing them to be remotely directed by the attackers. Botnets are being used for a variety of scams, including spamming, phishing, sniffing network traffic for unencrypted passwords, and click fraud targeting Google's AdSense program. A March report found that at least 1 million compromised machines are being used in botnets.