DNS, Networking, and Phishing

So in response to my  other post on the Chase Phishing scam I am writing a follow-up that serves two purposes. 1) It lets you know some networking internals which are great for troubleshooting purposes, and 2) gives you more detail about how phishing works.

So I mentioned in my last post that one of my clues that I was looking at a scam was the network address homeftp.net.  But the question is would it be possible for the phishers to use chase.com?  To explain that we need to back up to what is chase.com?  Is chase.com the actual address? The answer in short is no. The way computers talk to each other is through an IP address (internet protocol).  The IP address isn’t a name like Mark Rosedale, but a number (like your SS number). Each machine on a network has an IP address that lets other machines know where to find it and how to communicate with it. If you open up the Terminal (Mac=applications, utilities, terminal.app Linux=applications, terminal) you can type in ifconfig and see:

mrosedale$ ifconfig
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::217:f2ff:fed2:6e89%en0 prefixlen 64 scopeid 0x4
inet 172.30.254.193 netmask 0xffff0000 broadcast 172.30.255.255
ether 00:17:f2:d2:6e:89

Here for en0 (my first ethernet device, it counts starting at 0) my inet = 172.30.254.293.  That is my IP address.  Now any machine that wants to get a hold of mine can do so through this address. Now take Chase.com’s address. To find that in the terminal type nslookup chase.com:

mrosedale$ nslookup chase.com
Server:        172.30.1.2
Address:    172.30.1.2#53

Non-authoritative answer:
Name:    chase.com
Address: 159.53.60.105

That is Chase’s ip address according to my DNS servers (notice the “Non-authoritative answer). Note that you can use nslookup with an IP address to find out what the domain name is for that IP address (nslookup 159.53.60.105).  So what is DNS? In its simplest form it associates the chase.com with the actual IP address. Chase’s address is actually the string of numbers, but through a complex network of DNS (name) servers, that your computer can question, you are taken to the correct place. You can bypass the DNS servers if you know the IP already. Try typing in that IP address in your browser and you will see that it takes you directly to Chase’s website.

To see the string in action we can use another command called traceroute. Traceroute tracks every machine that your request goes through to get to the destination.  See for yourself:

mrosedale$ traceroute google.com
traceroute: Warning: google.com has multiple addresses; using 72.14.207.99
traceroute to google.com (72.14.207.99), 64 hops max, 40 byte packets
1  cam-mpls (172.30.0.2)  1.464 ms  1.342 ms  0.663 ms
2  east-gw.oreilly.com (209.58.173.1)  6.208 ms  6.812 ms  2.739 ms
3  cmbr1-br1-s1-1-1-11.wharf.shore.net (209.58.139.181)  219.762 ms  178.438 ms  163.300 ms
4  209.227.128.134 (209.227.128.134)  268.381 ms  306.392 ms  300.790 ms
5  p3-2.pr1-jfk.primustel.com (209.227.131.1)  275.102 ms  219.420 ms  233.960 ms
6  p6-1.pr1-dca.primustel.com (209.227.129.145)  213.833 ms  339.987 ms  333.944 ms
7  209.227.129.182 (209.227.129.182)  275.529 ms  170.010 ms  167.073 ms
8  eqixva-google-gige.google.com (206.223.115.21)  216.749 ms  277.703 ms  291.127 ms
9  209.85.130.12 (209.85.130.12)  256.757 ms 209.85.130.18 (209.85.130.18)  271.546 ms  381.697 ms
10  66.249.94.234 (66.249.94.234)  412.589 ms  344.461 ms 209.85.248.217 (209.85.248.217)  375.775 ms
11  72.14.233.113 (72.14.233.113)  336.960 ms 216.239.43.146 (216.239.43.146)  287.569 ms  309.612 ms
12  66.249.94.92 (66.249.94.92)  335.965 ms  359.242 ms  328.390 ms
13  * 66.249.94.118 (66.249.94.118)  384.661 ms 72.14.236.130 (72.14.236.130)  404.180 ms
14  eh-in-f99.google.com (72.14.207.99)  353.024 ms  327.035 ms  253.070 ms

You can see from here that that your request goes through an awful lot of machines to finally reach the destination of google.com (which as you can see from the warning above uses multiple addresses for load and balance purposes).  This is kind of a fun tool as you can see where the majority of your traffic gets routed to, but this shows the many DNS severs that process your request so that you get to the right destination. Who runs these DNS servers? Every domain does. That is how this relates to the phishing scam. You rely on your own dns and other people’s dns to get you to the proper IP address when you type in chase.com. It would be feasible that if one of those machines in the chain had been hacked or circumvented that when you type chase.com it actually takes you to a different location. It is an inherent weakness in our internet structure.

One more tool to help you determine information relevant to domain names. Whois is a wonderful tool that lets you know all of the registration information for a domain name (the output is too large to paste). It gives you information about who the domain name is registered and for how long, and gives you the name servers.  This is extremely helpful in our phishing case. If I do a whois chase.com and get some weird results there is a good chance that there is a DNS bug, of course it could be as simple as your DNS server has some out of date information, but it could be a sign of some more nefarious actions taking place.

Ultimately your best line of defense is the aforementioned ssl cert. Those certificates aren’t handed out to just anyone.  If the phishing scam had sent me to chase.com, but my log in was not https://chase.com, but http://chase.com that is a clear sign that I shouldn’t log in (all of your information is sent over clear text for anyone to read). And if the person were using an ssl cert that doesn’t match chase.com (ie registered to someone else or self signed) firefox would have sent up warnings.

I hope this gives you some good information about networking basics and a little more detailed information about phishing. The phishers in my case could have done a lot more to try and fool me.  Hopefully you will be well equipped the next time you receive such an email.

Advertisements
Explore posts in the same categories: IT, Linux

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: