May 28th, 2008
ICANN warning against registrar impersonation phishing attacks
How realistic is an attack that successfully hijacks a domain by social engineering the domain’s registrar? Pretty realistic according to ICANN’s recently released advisory on preventing Registrar Impersonation Phishing Attacks :
In this Advisory, SSAC describes generic forms of this type of attack. We
consider types and formats of information included in legitimate email messages that various registrars use when corresponding with customers. We discuss how phishers manipulate these information types and formats to create a bogus correspondence that is designed to socially engineer1 the registrar’s customer into visiting an impersonated registrar web site. The attacker designs the impersonated web site to dupe the customer into disclosing domain management account names and credentials. We discuss some of the current recommended practices to minimize or prevent phishing attacks employed by common phishing targets such as financial institutions and large corporations. We recommend measures that registrars can take to make their correspondences with registrants less “phishable” and identify ways for registrants to detect and avoid falling victim to this form of phishing.
Some of the most notable cases of domain hijacking through impersonation of the real owner in order to socially engineer the registrar to give up to domain, are the Panix.com incident (2005), Hushmail.com incident (2005), as well as, Sex.com, Nike.com and Ebay.de all have been victims of domain hijacking, the details of which you can in can find in a detailed retrospective of Domain Hijacking.
The attacks rely on basic social engineering tactics such as visual spoofing of the registrar’s login page, personalization in the phishing email send to the registrant using the data obtained from the public WHOIS record for the domain owner. What follows is a targeted mailing of the phishing email including a the typical phishing URL in the following format :
myaccount.session-83040251 .godaddy.com. nextid.li/AccountConfirmation/account.aspx
myaccount.session-8787227 .godaddy.com. filxcii.tv/AccountConfirmation/account.aspx
myaccount.session-10677 .godaddy.com. userport.li/AccountConfirmation/account.aspx
myaccount.session-6104002 .godaddy.com. iriikfrt.ch/AccountConfirmation/account.aspx
myaccount.session-83040251 .godaddy.com. nextid.li/AccountConfirmation/account.aspx
The advisory contains some practical tips for both, registrars and registrants on protecting against such social engineering attempts, so consider going through it.
Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog. See his full profile and disclosure of his industry affiliations.
Subscribe to Zero Day via Email alerts or RSS.
