[LINK] PayPal phishing scam - is this a domain hijack
Rick Welykochy
rick at praxis.com.au
Fri Jan 19 16:18:03 AEDT 2007
Rick Welykochy wrote:
> Eric Scheid wrote:
>
>> On 19/1/07 1:13 PM, "Rick Welykochy" <rick at praxis.com.au> wrote:
>>
>>
>>> For example, my own domain name is praxis.com.au. Is it easy for someone
>>> to use westpac-security.login.validation.praxis.com.au as a valid
>>> domain and get that into the DNS somehow? I would imagine that would
>>> require some (illegal) hacking of zone files.
>>
>>
>>
>> http://en.wikipedia.org/wiki/DNS_cache_poisoning
Also, related:
http://en.wikipedia.org/wiki/Pharming
If an attacked can change the hosts file on a victim's computer (!)
they can get them to use an ersatz website, e.g.
92.1.2.3 online.westpac.com.au
92.1.2.3 www.westpac.com.au
Now how hard would it be for phishers to modify the hosts file on
a Windows box? Given that there are MILLIONS of zombies already out
there, I would think it child's play. What a scary thought.
I just tried the www.westpac.com.au example above on Mac OS X
and it worked fine ... I was taken to a web server I run and control,
amd I could have trivially installed a westpac-looking web page on
that server.
I do not think that the https://online.westpac.com.au would work
too well, since the digital cert. check would fail almost all tests.
But I have not tested it.
But given our earlier discussions on how Joe Sixpack ignores warnings
about certificates, I think there would be enough uninformed users
out there who could be phished using the hosts file technique even
for https: connections to ersatz banking web site. Shudder.
cheers
rickw
--
_________________________________
Rick Welykochy || Praxis Services
The 7 R's of Windows support: retry, restart, reboot, reconfigure,
reinstall, reformat and finally, replace with Linux.
More information about the Link
mailing list