Hostname lookup attack

When establishing a connection with a remote computer such as a web server belonging to a bank or other target, a hostname lookup is normally performed to translate a domain name such as “bank.com” to a numeric IP address such as 198.81.129.100. Hostname lookup attacks interfere with the integrity of the lookup process for a domain name. Hostname lookup attacks are commonly called “pharming.”

One form of hostname lookup attack is to interfere with the Domain Name System (DNS), for example by hacking a DNS server. However, hostname lookup attacks are more commonly performed locally by crimeware that modifies the hosts file on the victim’s computer. If the domain or host name appears in the hosts file, the corresponding address will be used, without regard to what a DNS query for that domain might return. If this file is modified, then “www.bank.com” can be made to refer to a malicious address. When the user goes there, he or she will see a legitimate-looking site and enter confidential information, which actually goes to the attacker.

Another way to interfere with hostname lookups is to alter the system configuration of a victim’s computer to change the DNS server to a malicious server controlled by the attacker. When a user navigates to a correctly named site, such a server can send the user to a fraudulent site where confidential information is collected.

Another form of hostname lookup attack involves polluting the user’s DNS cache with incorrect information that will be used to direct the user to an incorrect location. If the user has a misconfigured DNS cache, this can be done by simply providing incorrect information. It can also be accomplished by hacking a legitimate DNS server, or by polluting the cache of a misconfigured legitimate DNS server. Such attacks do not fall within the definition of crimeware, as they do not involve software that runs on the victim’s computer.