NOW READ THIS
("Security Advisory")
Submitted by: Bill Hickey
NCVA List Master
NRT-0341 Getting Around IP Address Fraud Filters:
Cyber criminals have devised a new way around protections against fraudulent IP address
use. Typically, server-based security products compare IP addresses against a database
of known fraudulent sites or questionable locations. The products also check for
characteristics that do not make sense. For example, if a site were masquerading as
eBay but the filters found it was really hosted on a server in China that had only been
established one week earlier, it would block access.
However, in an operation leveraging a hijacked Yahoo IP address, hackers used the address
as the domain address behind a forged Google Analytics domain name, according to security
firm Finjan. This fooled the web-filtering products into believing a person was going to
a highly trusted Yahoo domain.
The victims never knew they were on a malicious web site, and neither did the security
mechanisms on the network. "They managed to resolve the domain name to an IP address
owned by Yahoo. How they added an address into a DNS server to appear to be an IP address
owned by Yahoo is unknown," said Yuval Ben-Itzhak of Finjan.
(www.internetnews.com 19NOV07)