How to Keep a Phish Alive

Here's another example, this one out of Defcon here in Vegas, of how phishers and other online criminals work to stay one step ahead of the good guys. To get around attempts to shut down their phishing sites, the bad guys are using a trick with the domain name service, or DNS, that translates human-readable names like www.google.com into the IP addresses that computers use to find their way around on the Internet. DNS is a must-have; the Internet couldn't function without it.

But the crooks are using an otherwise useful, and often free, service called dynamic DNS to keep phishing sites alive. The service lets anyone who signs up for an account link a name to a changing IP address, which is good for things like using a webcam at home.

Problem is, when a phishing site is found and shut down, phishers using dynamic DNS can just start another one at a new IP address and keep the same name. So all those email links pointing to http://stealyourmoney.phishing.com will still work.

I found out about this one at a talk from Gadi Evron, who works for an Israeli security company. He says botnet controllers use the same trick to keep the command-and-control centers for their botnets. Used to be that the control servers were a good target, because if you shut them down the botnet was effectively dead in the water. But dynamic DNS allows the same continuous cat-and-mouse game here too.

The people running dynamic DNS fight the criminals, of course, but it's an ongoing battle that for the moment (at least according to Evron) gives the bad guys the advantage. Yet another reason why phishing won't be going away any time soon.