News in IT

Very recently our Senior Editor Navtej Kohli came across a “Phishing” mail propped with “IP Spoofing”. Navtej Kohli than directed us to research such websites & resources & write a post on Navtej Kohli Blog IT dot com.


“Phishing” is the act of sending an e-mail to a user falsely claiming
to be an established legitimate enterprise in an attempt to scam the
user into surrendering private information that will be used for
identity theft. The e-mail directs the user to visit a “Spoof” website
where they are asked to update personal information, such as passwords
and credit card, social security, and bank account numbers that the
legitimate organization already has. The Web site, however, is bogus
and set up only to steal the user’s information.


Term “Spoof” (v) means “To Fool”. In networking, the term is used to
describe a variety of ways in which hardware and software can be
fooled. IP spoofing, for example, involves trickery that makes a
message appear as if it came from an authorized IP address.


“Email Spoofing” refers to forging an e-mail header to make it appear
as if it came from somewhere or someone other than the actual source.


The main protocol that is used when sending e-mail -- SMTP -- does not
include a way to authenticate. There is an SMTP service extension (RFC
2554) that allows an SMTP client to negotiate a security level with a
mail server. But if this precaution is not taken anyone with the
know-how can connect to the server and use it to send spoofed messages
by altering the header information.




Now Phishing fraudsters are using a pair of DNS exploits to help give
them the illusion of credible domains, the latest ploy to dupe people
into handing over their sensitive information.


Phishers have begun to use wildcard DNS records to help trick
unsuspecting users into giving up information about their identity.
Wildcard DNS help users arrive at their intended Web destination by
redirecting mistyped and/or errant addresses. But wildcard DNS has been
used against Barclays Banks in the U.K with e-mail using an additional
sequence of characters that ultimately leads the user to a phisher's
site.


A similar type of attack vector specific to Microsoft Internet Explorer
was reported by security researcher Bitlance Winter. In that attack, an
identifiable URL also has a string of characters or additional domain
information added that directs a user to a different address than the
one they see in the visible toolbar.


The technique, known as "DNS cache poisoning", is also being utilized
by phishers in an attack know known as "pharming" where a poisoned DNS
server redirects users to the phisher's Web site. The "poison" is
essentially false DNS information that is injected into a vulnerable
DNS server.