Hacktivists hijack DNS of popular websites

Posted by   Virus Bulletin on   Jan 26, 2012

Security at registrars may be weak link.

A hacktivist group has managed to redirect the traffic of two popular websites by hijacking their DNS settings, researchers at Internet Identity report.

The sites belong to UFC, a mixed martial arts promotion company, and Coach, which produces luxury goods. Both companies had expressed their support for the controversial SOPA and PIPA bills, which were withdrawn last week following widespread campaigning against them, including a 24-hour blackout of Wikipedia.

Apart from lost revenues, redirecting website traffic by hijacking DNS is mostly embarrassing for the victims; by hijacking the DNS attackers do not gain access to the company's servers. However, if the attackers redirect email traffic (the mail servers used by a domain are also set in its DNS), or set up a spoof or phishing site, the damage could be much worse. In fact, Internet Identity suggests that the damage could have been worse if the attackers had been less inexperienced.

Most organisations make significant efforts to secure their systems, which is laudable. However, the DNS settings, which are commonly stored at a third-party registrar, can easily be forgotten. Weak or compromised passwords, or inadequate security at the registrar, may give the attackers access to the DNS settings, allowing them to redirect traffic.

One way to mitigate the damage of DNS hijacks is to use DNSSEC, which authenticates the origin of DNS requests. However, this is not entirely without risk either: after American ISP Comcast enabled DNSSEC verification for its customers, requests to the website of NASA were blocked due to a misconfiguration in the latter's DNS settings. Ironically, this happened on the same day as the Wikipedia blackout, which led many users to believe that NASA was participating in the protests too.

More at Internet Identity here, with more on the DNSSEC issue at Dark Reading here. Comcast has published this PDF on the case, which is intended to help other early DNSSEC adopters.

Posted on 26 January 2012 by Virus Bulletin



Latest posts:

In memoriam: Prof. Ross Anderson

We were very sorry to learn of the passing of Professor Ross Anderson a few days ago.

In memoriam: Dr Alan Solomon

We were very sorry to learn of the passing of industry pioneer Dr Alan Solomon earlier this week.

New paper: Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

In a new paper, researchers Aditya K Sood and Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited in order to gather threat intelligence, and present a model of mobile AppInjects.

New paper: Collector-stealer: a Russian origin credential and information extractor

In a new paper, F5 researchers Aditya K Sood and Rohit Chaturvedi present a 360 analysis of Collector-stealer, a Russian-origin credential and information extractor.

VB2021 localhost videos available on YouTube

VB has made all VB2021 localhost presentations available on the VB YouTube channel, so you can now watch - and share - any part of the conference freely and without registration.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.