Tuesday, September 26, 2006

Taking page-jacking to the next level....

Assignment 5 Option 2


This may well be the first time I’ve ever gone online to purposely find fraud. Usually it finds me, whether in the form of a “double play” e-mail from some firm I’ve never heard of, a “mimicking” message from a bank I don’t belong to, or a “dazzling” pop-up advertisement for some product I most certainly don’t want. However, I went online searching for a specific type of fraud which was not mentioned in any of our literature but which I believe is more dangerous (if more difficult) than anything mentioned in Grazioli & Jarvenpaa or Dhamija et al. Instead of simple page-jacking, hackers were going to the next level and doing DNS hijacking. For those of you who don’t know, DNS stands for the Domain Name System – the series of backend Internet servers which resolve the human readable domain names (such as cornell.edu or google.com) into machine readable IP addresses (such as 192.168.1.1). In a DNS hijack (alternatively called DNS cache poisoning or DNS pharming), the hacker breaks into a DNS server and changes the records for a domain name to point from a legitimate server to his own more malicious server. The hacker will typically have his own server set up with pages that perfectly mimic the site he is trying to phish/pharm information from. The unsuspecting user will then type in the website he or she would like to visit correctly, or click on the correct link from a search engine and will be brought to the fake site where they will be prompted to enter personal information. The scary part is that this type of pharming is almost undetectable to users. Almost all of the methods Dhamija et al. explain and suggest won’t work – the fake server could have its own SSL certificate, could link to real authorities who will verify that the domain name is correct, etc. The only real way of detecting such an attack would be to physically look up the IP address of the target domain via an internet DNS lookup and compare it with the IP address provided by a local DNS lookup. This is a lot of work, and something that users who can be tricking into thinking a “vv” is a “w” probably won’t go through the effort to do.

Thankfully, this kind of attack hasn’t happened much. Perhaps because DNS is such a redundant system with some security measures in place and that hacking one server would only effect a limited number of users at a time (depending on the server and which end of the system the hacker went after) it is a fairly time consuming act. However, there is one notable exception to this. In 2000 a 17 year old hacker going by the name of “Coolio” changed the DNS records of RSA Security Inc. Although he simply defaced the RSA site, this act was especially embarrassing for RSA which is a company specializing in Internet security (for more information on the attack, go here). This type of attack could become more prevalent as potential victims become more aware and simpler methods prove to be less effective as Grazioli & Jarvenpaa predict.

Setting up a false website via DNS hijacking with a malicious intent to collect personal data is unquestionably a deceptive act. It fits in nicely with the Theory of Deception presented in Grazioli & Jarvenpaa as well as with both Vrij and Nyberg’s definitions. The pharming website is certainly a deliberate attempt to create a false belief in the viewer about the veracity of the page without any forewarning (unless for whatever reason the end user does DNS lookups for every website he/she visits, but that would be very time consuming and a little extreme). It also fits nicely into Nyberg’s showing/hiding model of deception – especially the mimicking subcomponent. Conclusively, online fraud is a major form of deception.

So how can one watch out for and identify a DNS hijacking attack? The reality is that a user really can’t unless the deceiver doesn’t put much effort into the “fake” website. Would I recommend that you watch out for it? Yes, certainly. Can I say that I wouldn’t fall victim to such an attack? Not at all. Even being aware of it doesn’t make the detection any easier. I can only hope that the DNS systems are continuously upgraded to prevent such malicious online fraud and deception.

posted by Barrett Amos @ 9:39 AM

0 Comments:

Post a Comment

<< Home