Phishers Using Wildcard DNS

Wildcard DNS is a handy feature, and phishers are apparently using it to bypass filtering.

The technique of establishing a wildcard DNS entry involves creating a DNS record that acts as a catch-all. Wildcard DNS works so that regardless of which host is used the name will resolve. So for example, someone might try to visit thishost.domain.nul or thathost.domain.nul and both resolve even though there aren't any specific DNS 'A' records for those hosts.

Phishers use wildcard DNS to get around filtering since filtering, in many cases, is based on exact host name and domain name combinations. With wildcard DNS Phishers can generate any number of differing URLs on the fly and often evade filtering technology.

On the Web server side, a simple bit of code can parse the URL to find which hostname was used to land on a site, and then redirect the visitors as necessary.

The Anti-Phishing Working Group recently released a new report that shows that "URL multiplying," as they term it, is on the rise. URL multiplying is basically what I described above - e.g. using DNS wildcards to allow the generation of countless unique URLs. In April use of the technique more than doubled as compared to the months since December 2006!

You can get a copy of "APWG Phishing Trends Activity Report for April 2007" in PDF format at the group's Web site.