[LINK] PayPal phishing scam - is this a domain hijack

Rick Welykochy rick at praxis.com.au
Fri Jan 19 16:18:03 AEDT 2007

Rick Welykochy wrote:

> Eric Scheid wrote:
>> On 19/1/07 1:13 PM, "Rick Welykochy" <rick at praxis.com.au> wrote:
>>> For example, my own domain name is praxis.com.au. Is it easy for someone
>>> to use westpac-security.login.validation.praxis.com.au as a valid
>>> domain and get that into the DNS somehow? I would imagine that would
>>> require some (illegal) hacking of zone files.
>> http://en.wikipedia.org/wiki/DNS_cache_poisoning

Also, related:


If an attacked can change the hosts file on a victim's computer (!)
they can get them to use an ersatz website, e.g.   online.westpac.com.au   www.westpac.com.au

Now how hard would it be for phishers to modify the hosts file on
a Windows box? Given that there are MILLIONS of zombies already out
there, I would think it child's play. What a scary thought.

I just tried the www.westpac.com.au example above on Mac OS X
and it worked fine ... I was taken to a web server I run and control,
amd I could have trivially installed a westpac-looking web page on
that server.

I do not think that the https://online.westpac.com.au would work
too well, since the digital cert. check would fail almost all tests.
But I have not tested it.

But given our earlier discussions on how Joe Sixpack ignores warnings
about certificates, I think there would be enough uninformed users
out there who could be phished using the hosts file technique even
for https: connections to ersatz banking web site. Shudder.


Rick Welykochy || Praxis Services

The 7 R's of Windows support: retry, restart, reboot, reconfigure,
reinstall, reformat and finally, replace with Linux.

More information about the Link mailing list