DNS, Networking, and Phishing
So in response to my other post on the Chase Phishing scam I am writing a follow-up that serves two purposes. 1) It lets you know some networking internals which are great for troubleshooting purposes, and 2) gives you more detail about how phishing works.
So I mentioned in my last post that one of my clues that I was looking at a scam was the network address homeftp.net. But the question is would it be possible for the phishers to use chase.com? To explain that we need to back up to what is chase.com? Is chase.com the actual address? The answer in short is no. The way computers talk to each other is through an IP address (internet protocol). The IP address isn’t a name like Mark Rosedale, but a number (like your SS number). Each machine on a network has an IP address that lets other machines know where to find it and how to communicate with it. If you open up the Terminal (Mac=applications, utilities, terminal.app Linux=applications, terminal) you can type in ifconfig and see:
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::217:f2ff:fed2:6e89%en0 prefixlen 64 scopeid 0x4
inet 172.30.254.193 netmask 0xffff0000 broadcast 172.30.255.255
Here for en0 (my first ethernet device, it counts starting at 0) my inet = 172.30.254.293. That is my IP address. Now any machine that wants to get a hold of mine can do so through this address. Now take Chase.com’s address. To find that in the terminal type nslookup chase.com:
mrosedale$ nslookup chase.com
That is Chase’s ip address according to my DNS servers (notice the “Non-authoritative answer). Note that you can use nslookup with an IP address to find out what the domain name is for that IP address (nslookup 18.104.22.168). So what is DNS? In its simplest form it associates the chase.com with the actual IP address. Chase’s address is actually the string of numbers, but through a complex network of DNS (name) servers, that your computer can question, you are taken to the correct place. You can bypass the DNS servers if you know the IP already. Try typing in that IP address in your browser and you will see that it takes you directly to Chase’s website.
To see the string in action we can use another command called traceroute. Traceroute tracks every machine that your request goes through to get to the destination. See for yourself:
mrosedale$ traceroute google.com
traceroute: Warning: google.com has multiple addresses; using 22.214.171.124
traceroute to google.com (126.96.36.199), 64 hops max, 40 byte packets
1 cam-mpls (172.30.0.2) 1.464 ms 1.342 ms 0.663 ms
2 east-gw.oreilly.com (188.8.131.52) 6.208 ms 6.812 ms 2.739 ms
3 cmbr1-br1-s1-1-1-11.wharf.shore.net (184.108.40.206) 219.762 ms 178.438 ms 163.300 ms
4 220.127.116.11 (18.104.22.168) 268.381 ms 306.392 ms 300.790 ms
5 p3-2.pr1-jfk.primustel.com (22.214.171.124) 275.102 ms 219.420 ms 233.960 ms
6 p6-1.pr1-dca.primustel.com (126.96.36.199) 213.833 ms 339.987 ms 333.944 ms
7 188.8.131.52 (184.108.40.206) 275.529 ms 170.010 ms 167.073 ms
8 eqixva-google-gige.google.com (220.127.116.11) 216.749 ms 277.703 ms 291.127 ms
9 18.104.22.168 (22.214.171.124) 256.757 ms 126.96.36.199 (188.8.131.52) 271.546 ms 381.697 ms
10 184.108.40.206 (220.127.116.11) 412.589 ms 344.461 ms 18.104.22.168 (22.214.171.124) 375.775 ms
11 126.96.36.199 (188.8.131.52) 336.960 ms 184.108.40.206 (220.127.116.11) 287.569 ms 309.612 ms
12 18.104.22.168 (22.214.171.124) 335.965 ms 359.242 ms 328.390 ms
13 * 126.96.36.199 (188.8.131.52) 384.661 ms 184.108.40.206 (220.127.116.11) 404.180 ms
14 eh-in-f99.google.com (18.104.22.168) 353.024 ms 327.035 ms 253.070 ms
You can see from here that that your request goes through an awful lot of machines to finally reach the destination of google.com (which as you can see from the warning above uses multiple addresses for load and balance purposes). This is kind of a fun tool as you can see where the majority of your traffic gets routed to, but this shows the many DNS severs that process your request so that you get to the right destination. Who runs these DNS servers? Every domain does. That is how this relates to the phishing scam. You rely on your own dns and other people’s dns to get you to the proper IP address when you type in chase.com. It would be feasible that if one of those machines in the chain had been hacked or circumvented that when you type chase.com it actually takes you to a different location. It is an inherent weakness in our internet structure.
One more tool to help you determine information relevant to domain names. Whois is a wonderful tool that lets you know all of the registration information for a domain name (the output is too large to paste). It gives you information about who the domain name is registered and for how long, and gives you the name servers. This is extremely helpful in our phishing case. If I do a whois chase.com and get some weird results there is a good chance that there is a DNS bug, of course it could be as simple as your DNS server has some out of date information, but it could be a sign of some more nefarious actions taking place.
Ultimately your best line of defense is the aforementioned ssl cert. Those certificates aren’t handed out to just anyone. If the phishing scam had sent me to chase.com, but my log in was not https://chase.com, but http://chase.com that is a clear sign that I shouldn’t log in (all of your information is sent over clear text for anyone to read). And if the person were using an ssl cert that doesn’t match chase.com (ie registered to someone else or self signed) firefox would have sent up warnings.
I hope this gives you some good information about networking basics and a little more detailed information about phishing. The phishers in my case could have done a lot more to try and fool me. Hopefully you will be well equipped the next time you receive such an email.