[dns-operations] Passing card data through the DNS
Robert Edmonds
edmonds at mycre.ws
Wed Apr 20 16:08:09 UTC 2016
Brett wrote:
> Ok again it's from the tabloid end of the Internet but I thought some
> of you may be interested in this:
>
> http://www.theregister.co.uk/2016/04/20/vxers_pass_stolen_card_data_over_dns/
Usually The Register will link to the actual source, which in this case
is FireEye:
https://www.fireeye.com/blog/threat-research/2016/04/multigrain_pointo.html
This part is amusing:
Both the installation beacon and the stolen card data are encoded
with an unusual encoding algorithm – Base32 – before being
transmitted via DNS queries. The choice of Base32 is interesting as
Base64 is better known and more widely used (for instance in the
MIME standard used by email attachments). Using Base32 will actually
result in the data taking up 20 percent more space than Base64, so
the attackers were unconcerned with the efficiency of bandwidth.
One possible reason for selecting Base32 is the relative obscurity
of the algorithm. Security and data loss prevention (DLP) products
are more likely to detect Base64 encoding and in some cases can
automatically decode the data, which could result in DLP devices
identifying the exfiltration.
A more likely reason is because Base32 is impervious to character case
perturbations on the way to the evildomain.com nameservers.
--
Robert Edmonds
More information about the dns-operations
mailing list