HOME > ADVISORIES


   ADVISORY

CERT-In Advisory CIAD-2008-58
Domain Name Phishing Attacks

Original issue date: November 11, 2008


Description

Domain Name Phishing, Domain Phishing or Registrar Impersonation is a form of Phishing attack targeting the domain name registrants. Similar to a typical phishing, it also involves impersonated fraudulent e-mails and fake web pages. The attacker uses an impersonated identity of a domain name registrar and sends a spoofed correspondence to the registrar's customer (a registrant) regarding a domain name related matter. The majority of Domain name registrars use electronic mail for many types of domain name registration related communication. The attackers exploit this fact in conducting the socially engineered and fraudulent correspondence with the registrants. The emails sent by the phishers describe a domain name related matter that requires or encourages a customer's immediate attention e.g.

  • Domain name renewal notices, transfer notices, or order confirmations
  • Registration request confirmations
  • Registration and DNS information change confirmations
  • WHOIS data accuracy reminders
  • Notices of domain name expiry or cancellation
  • Notices related to some account management issue etc.

The phisher can use the existing WHOIS information, e.g. Domain creation/updation/expiration date, DNS information etc., to further personalize the phishing mails for targeting the Domain name owners. In this way the phisher is able to use WHOIS information to build a list of registrants of a targeted registrar. An example of a phishing email is shown below:

Similar to the typical phishing, these phishing mails convinces the registrant to provide their domain management credentials by means of visiting a web link (hyperlink) given in the fake email. The hyperlink given in the email redirects the user to a spoofed web site where the customer may inadvertently disclose account credentials to the attacker. This spoofed site is also created by the attacker and is misleadingly similar to the registrar's legitimate web site.

These stolen credentials then provide the phisher with unauthorized access to a domain name management account. The attacker can use these credentials to conduct additional attacks like:

  • Alter the contact information to abet domain hijacking and business disruption
  • Modify the DNS records to abet malicious redirection or flux phishing attacks, i.e. by changing the A or AAAA and TTL resource record values
  • Alter or add mail exchange (MX) to use the domain name to send the spam mails
  • Access information that is not published
  • Use credit or billing information associated with the account to purchase additional domains to use in attacks

Countermeasures

Users & Registrants:

  • Exercise caution while clicking on any hyperlinks included in email messages sent by the registrars
  • Use email client that reveals hyperlink references and verify the hyperlink before clicking
  • Type a web address into the browser’s address bar instead of clicking on the hyperlinks given in the emails
  • Use anti-spam and antiphishing software
  • Special care for the emails that claim an urgent response is required
  • Read the email message carefully before taking any action
  • Do not trust an email simply because it is personalized
  • Always verify the login form’s authenticity (Certificates etc.) before submitting the account credentials
  • Use a unique and strong password for the account and change it regularly
  • Report suspected phishing emails to the registrar, respective CERT and antiphishing organizations

Domain Registrars:

  • Use of digital signatures can help the registrars and registrants to ensure the authenticity of their emails
  • Include only necessary information to convey the desired message in customer correspondence
  • Avoid the use of hyperlink references in the emails. Warn customers against clicking on hyperlinks included in any correspondence
  • Awareness should be created among the registrants regarding such attacks
  • Multi-factor authentication, Extended Validation (EV) certificates can be used in all sensitive transactions

References

http://www.icann.org/en/committees/security/sac028.pdf
https://par.icann.org/files/paris/PiscitelloRegistrar.pdf
http://www.sophos.com/security/blog/2008/10/1901.html
http://blogs.zdnet.com/security/?p=1208
http://www.cert-in.org.in/knowledgebase/whitepapers/ciwp-2005-03.pdf

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003