The most problematic phishers are those that uses rock-style tactics to implement their scams.   By using a combination of fast-flux botnets, reverse proxies, and registering a myriad number of domain names, their scams are likely to stay alive 50% longer or more than regular phishing attacks.   Clearly they’re more advanced that the ankle-biters that use free phishing kits and free web space like geocities.

Today I started seeing reports of a PayPal phishing attack using using the URL (line wrapped for readability):

http://secure.paypal.com.session-
id99464376173882452045040350355179058532566734394749600500
117946024993835998207694.ssl89.ru

The only problem is that it’s impossible to resolve this hostname.   If you look carefully, you’ll see the label that starts ’session-’ following by a bunch of numbers is 91 characters long.   That is longer than the maximum of 63 allowed by RFC 2181.

The phishers never notice this themselves because their nameservers have wild-card entries that allow any hostnames and sub-domains to resolve (assuming the query get to their servers).

This entry was posted on Thursday, November 6th, 2008 at 2:14 pm and is filed under Phishing. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.