Phishing Attacks Utilizing Port Numbers

There are varying types of technologies used by online attackers these days. There are old tricks and of course new ones, but it is the newer ones that make it even more difficult to handle the dilemmas faced in the world of Internet security. One of the trends of attack that was noticed a little while ago was an attack based on a website’s “port number.” A port number is a way to identify a specific process to which an Internet or other network message is to be forwarded when it arrives at a server. We can identify a port number after a colon (“:”) following the host name. For example, consider http://1.1.1.1:8080/, in which the port number in the URL is 8080.

According to the IANA (Internet Assigned Numbers Authority), the port numbers are divided into three ranges: well known ports, registered ports and the dynamic and/or private ports.

1.    The “well known” ports are those ranging from 0 through 1023.
2.    The “registered” ports are those from 1024 through 49151
3.    The “dynamic” and/or “private” ports are those from 49152 through 65535.

Statistics were taken for the phishing websites and it was seen that the maximum utilized port number was 82. It also came to light that the maximum amount of fraud against different port numbers came from the United States and Korea. The question then arises, why is there such a higher rate of attacks on port 82?

With further research we see that port 82 is used for the “Xfer Utility.” The Xfer utility is a utility used for DNS zone transfers. This means that if data has to be transferred or replicated from the database of one DNS server of a particular zone to another, then the Xfer utility would be used. Only the administrator of that particular server, however, can perform this transfer. The cause of such a higher number of frauds in this protocol may be due to the vulnerabilities faced by the zone transfers.

There are typically two security risks with regard to zone transfers:

1.    Exposure of data: A zone transfer means an entire DNS record being exposed. If a hacker catches a hold on this transfer with some malicious code, he or she can view the entire set of listings of hosts in that domain. This gives the hacker a lot more control on the servers, which could allow a larger range of malicious practices to be attempted.

2.    Denial of Service (DoS): If malicious code captures a DNS zone transfer, then the attacker could launch a DoS attack by overloading the servers with multiple requests. This would make the servers slow and unresponsive. In a more serious case it would block legitimate requests as well.

There are possibilities that port 82 is used simply as an alternate to the regular ports of 80 and 81. However, it is difficult to prove the exact reason for witnessing this trend of port 82 frauds and the above two vulnerabilities are only a possible explanation. In the below images there are some interesting statistics that were collected earlier this year over a three-week period. They show the coverage of fraud attacks against certain port numbers, as shown:

Another reason for the attacks based on port numbers might be to escape anti-phishing technologies. Attackers continue to randomize the ports they use, which may possibly help in evading anti-phishing toolbars and at the same time try to target specific customers. For example, there were fraud sites coming from an IP that was phishing a specific brand, but was reported with several ports:

http://IP number:722/update/secure/
http://IP number:306/update/secure/
http://IP number:9306/sharethisfolder/refunds.php  
http://IP number:9277/EBSec/index.html  
http://IP number:9777/xxx.NET/login.php  
http://IP number:8444/logon/index.html  
http://IP number:8444/haide/refunds.php  
http://IP number:844/recycler/refunds.php  

Here we can see that the IP remains the same but the ports randomize as 722, 306, 9306, 9277, and so on. The attack is also phishing only on a specific brand. This gives us an idea that the port randomization isn’t a coincidence in this case; rather, it looks like an intentional attempt by the attacker. Certain antifraud measures today might perform a check on a website for a certain port, but may not look into whether the site is active on any other port, which gives the attacker a chance to escape. Some of these ports, however, might also be accessible to the customer. This way, the attacker might escape anti-phish toolbars and succeed in targeting the customers.
   
A method to detect and fight this form of attack would be to monitor the websites that seems to be dead by viewing them irrespective of the port number. We have to view the website, which may be alive on a different port. Best practices include being wary of sites that both ask for confidential information and that contain a port number in their URL. Please take the time to verify that the website is run by the original brand/company and only then provide information to the site.