Phishing in Fast Flux

12:43 PM -- Phishing has been around in various forms for well over a decade, but it's achieved a level of sophistication beyond the simple email scam that we've all come to know and loathe. One such innovative tactic for phishing is fast-flux DNS.

One of the big problems in the hacking industry is survivability: How do you create a virus/worm/phishing site that will last? It's hardest with phishing, because if the site goes offline, the phisher can no longer get new accounts.

Fast-flux DNS is commonly used in benign business continuity applications -- if one site goes offline, you can send your traffic elsewhere. Fast-flux DNS allows you to point your DNS to multiple sites, so that when one goes offline, the others are used.

Phishers test different techniques and scenarios to see how effective they are, and in some of these tests, phishers have begun using fast-flux DNS to preserve the survivability of their own domains. Because it's much harder to get registrars to de-commission a phishing domain than it is to tell an ISP to take a machine offline, fast-flux DNS is more effective. Suddenly, a single domain may survive weeks or months, whereas before it could have survived just a few hours or days.

That's why a multi-pronged approach is necessary to protect users from phishing exploits. The browsing community has implemented anti-phishing filters to help protect consumers from entering their information on phishing sites that do end up surviving. If a user doesn't subscribe to an anti-phishing filter, he or she is taking a risk. The use of fast-flux DNS by phishers may still be rare now, but eventually it will be a viable risk-mitigation technique for phishers looking to solve their malevolent business continuity problems.

— RSnake is a red-blooded lumberjack whose rants can also be found at Ha.ckers and F*the.net. Special to Dark Reading