Security experts are warning financial companies of a relatively new type of computer attack in which hackers gain control of a bank's domain name.
The technique gained widespread attention last month when hackers briefly took over the domain names of Fiserv Inc.'s CheckFree bill payment unit, and observers say they have seen signs that this form of attack will be used more widely this year.
The domain name system, or DNS, attack "in late 2008 has started getting a lot of attention from attackers, as opposed to past years, when this area was pretty quiet," Amit Klein, the chief technology officer at Trusteer Ltd. of Tel Aviv, said in an interview.
"The major reason" for the trend, he said, "is that attackers found out that it's much easier to get users to browse to so-called legitimate sites rather than direct users to sites that are obviously not legitimate."
Most phishing attacks involve fake sites that replicate a bank's site but must be hosted elsewhere. In some cases, fraudsters are able to register domain names that include the brand of the site they are imitating, but people who type banks' domain names into the browser each time they visit would typically not be directed to fake sites.
Because consumers are aware of such ways to avoid false sites, "the effect of phishing, at large, is somewhat less than it used to be," which has prompted attackers to seek new methods, Mr. Klein said.
A DNS attack "does take a bit more expertise" than phishing does "but not a lot more," he said, especially since expertise can be bought. "Everything that's very sophisticated today becomes a kit within a year or two … if it's proven successful enough."
And old-fashioned phishing still plays a role, but with DNS attacks, the recipients of the phishing e-mails are not consumers but the people who work at domain name registrars, the companies that control Web site names, Mr. Klein said.
"Earlier this year, there were attempts of phishing for credentials that were used to manage domain names in a major DNS registrar," he said. "Such attempts would indicate that fraudsters are looking to hijack domains just as successfully as they did with CheckFree."
Lori Stafford-Thomas, a Fiserv's spokeswoman, said in an e-mail that the cause of the Dec. 2 CheckFree incident remains under scrutiny by the Federal Bureau of Investigation and that she could not comment on how fraudsters might have succeeded in controlling its domain names.
She stressed that the takeover was brief and did not lead to a breach of any data held by Fiserv. It regained control of its domain names at 5 a.m. Eastern time and worked with an Internet service provider to block access to the fraudsters' site by 10:10 a.m. that day.
Symantec Corp.'s technical director of security technology and response, Zulfikar Ramzan, said he has also seen increased efforts to gain control of domain names by phishing for credentials that could be used to gain access to domain registries.
In the past six to nine months, "there was definitely kind of a marked increase in that area," he said.
"Traditional phishing attacks have really been" impersonating "banks and credit card companies," he said, "and here was an example of a phishing attack that" impersonates "a completely different industry that normally wasn't the subject of a phishing attack."
Indeed, the new approach has been sufficiently different to fool people who would normally be on guard against such tactics, Mr. Ramzan said.
"There's an important question of awareness among the people who maintain the relationship with the registrar to not allow their password to get phished," he said. "A lot people don't realize that this could happen to them because they're so used to thinking of phishing attacks in the context of financial institutions and credit card companies. They're caught off guard when the context changes just a little bit."
Further complicating the matter for banks — and smoothing the way for fraudsters — is that, though banks use strong authentication methods to guard access to their Web sites, domain name registrars often do not.
"The banking industry itself has dealt with the problem," Mr. Ramzan said, but "I'm not aware of registrars using other authentication factors" than a user name and password.
Avivah Litan, a vice president and research director at the Stamford, Conn., market research company Gartner Inc., said she, too, saw domain name hijacking attempts proliferate about six months ago.
"DNS entries can be modified in multiple places," including a user's home hardware, such as the router, she said, but "the most effective place is right in the source," at the registrar itself.
Regulators are aware of the security issues regarding passwords and have discussed the need to apply the same pressure they have to banks when they talk to other sorts of companies, Ms. Litan said. "There is awareness among the government entities that these regulations haven't extended beyond the financial institutions," she said.
And security may not improve until the government acts on its concerns, she added. "It's going to take some government mandate," she said. "A lot of companies besides banks have sensitive information."
By Daniel Wolfe
No comments:
Post a Comment