Poisoned DNS opens new line of attack for pharmers
Hackers are using a new tactic when it comes to convince people to part with personal information. Criminals are using a known vulnerability in some older Symantec corporate products to redirect legitimate URL requests to spoofed sites – a process known as ‘pharming’.
The new technique uses DNS cache poisoning to redirect the request. Incorrect information regarding a site is fed into DNS servers. These servers will normally match a URL with an IP address and direct the request to the right server. A ‘poisoned’ DNS cache will take a legitimate URL and redirect it to a false IP number but with web pages that look like the real thing, thus lulling visitors into parting with sensitive personal information.
It has emerged that on Saturday a number of DNS servers handling requests for eBay.com, Google.com and Weather.com were compromised via a known vulnerability in Symantec’s firewalls and began directing traffic for these sites to three fake sites that attempted to install spyware on the client PCs.
However, this vulnerability is not new. Last June Symantec issued a fix for the weakness which, under certain conditions, allowed falsified records to be inserted in the company’s products which have a built in proxy DNS known as DNSd. Among the Symantec software in danger of compromise were Symantec Gateway Security 5300 Series, v1.0 and v2.0, and Symantec Enterprise Firewall, v7.0.x and v8.0 for Windows and Solaris.
Symantec is recommending that users of the products apply a fix for the problem even if they had already applied the previouis patch.