DNS wildcards used in new phishing attacks

Tue Mar 8 08:59:54 GMT 2005

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

As highlighted here on Slashdot:

http://slashdot.org/articles/05/03/08/0052235.shtml

which links to the full Netcraft article at

http://news.netcraft.com/archives/2005/03/07/phishers_use_wildcard_dns_to_build_convincing_bait_urls.html

I have just tested the examples given by Netcraft, and the current
phishing net already traps these phishing attacks and needs no changes
or improvements in this case.

If you are running an old version of the phishing net, I strongly advise
you to upgrade. You should at least test the 3 URLs given by Netcraft
and ensure that you can catch them. Use an HTML segment like this:

Barclays bank wildcard DNS attack here:
<a
href="http://barclays.co.uk|snc9d8ynusktl2wpqxzn1anes89gi8z.dvdlinKs.at/pgcgc3p/">barclays.co.uk</a>
<a
href="http://barclays.co.uk|YJ3EMOHOqljQ8J5oW2ZKyTaRMQOahSWaxTrFTEQK9l9VVQj6jDtyq10d24r2h0bijh2">barclays.co.uk</a>
<a
href="http://barclays.co.uk|34fdcb4rvdnp9phxbahhvbs6l56a2uyx%2edivxmovies%2ea%74/41pvaw3/">barclays.co.uk</a>

Beware that the above paragraph should have 4 lines in it, in case my
mail client messes with it.

--
Julian Field                Teaching Systems Manager
jkf at ecs.soton.ac.uk         Electronics & Computer Science
Tel. 023 8059 2817          University of Southampton
                            Southampton SO17 1BJ

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!