[dns-operations] Passing card data through the DNS

Robert Edmonds edmonds at mycre.ws
Wed Apr 20 16:08:09 UTC 2016

Brett wrote:
> Ok again it's from the tabloid end of the Internet but I thought some
> of you may be interested in this:
> http://www.theregister.co.uk/2016/04/20/vxers_pass_stolen_card_data_over_dns/

Usually The Register will link to the actual source, which in this case
is FireEye:


This part is amusing:

    Both the installation beacon and the stolen card data are encoded
    with an unusual encoding algorithm – Base32 – before being
    transmitted via DNS queries. The choice of Base32 is interesting as
    Base64 is better known and more widely used (for instance in the
    MIME standard used by email attachments). Using Base32 will actually
    result in the data taking up 20 percent more space than Base64, so
    the attackers were unconcerned with the efficiency of bandwidth.

    One possible reason for selecting Base32 is the relative obscurity
    of the algorithm. Security and data loss prevention (DLP) products
    are more likely to detect Base64 encoding and in some cases can
    automatically decode the data, which could result in DLP devices
    identifying the exfiltration.

A more likely reason is because Base32 is impervious to character case
perturbations on the way to the evildomain.com nameservers.

Robert Edmonds

More information about the dns-operations mailing list