Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Hacktivists Turn To DNS Hijacking

Coach, UFC fall victim to attacks that redirect their Web traffic

Hacktivists have added a new tactic to their arsenal: redirecting all of the traffic from a target company's website.

According to a blog written by security expert Lars Harvey of IID, politically motivated attackers are now using DNS hijacks, which redirect all the traffic from a victim's legitimate website (and often all the email and back-end transactions, too) to a destination of the attacker's choosing.

"A determined criminal can set up a fake look-alike destination site to dupe customers into revealing credentials or downloading malware," Harvey states.

Many companies pay little, if any, attention to securing their domain registrations, and most do not continuously monitor their DNSes to make sure they're resolving properly around the world, making them vulnerable to attack, the blog says.

"The first indication most victims have of a DNS hijack is that their website traffic slows to a trickle," Harvey reports. "Then they have to figure out why, and DNS is rarely the first thing they think of, which lengthens the time to mitigate the attack."

On Sunday, the domain name UFC.com was hijacked by a hacktivist group that apparently didn't like the mixed-martial arts company fighting the organization's support of the SOPA/PIPA online piracy bills, IID reports. On Monday evening that same group, called UGNazi, hijacked two domain names, coach.com and coachfactory.com, belonging to luxury goods maker Coach Inc., for the same reason.

"Thankfully, both DNS hijack attacks were defeated within a few hours," the blog states. "In the Coach case, it appears that the legitimate hosting company where the hijacked domain was redirected to noticed the large influx of new traffic, quickly determined its nefarious source and helped get the problem fixed."

It could have been worse, Harvey says. "Both Coach and UFC got lucky that the hacktivist criminals are apparently inexperienced in the matter of DNS hijackings, which made it relatively easy to mitigate the attacks," he states.

Both Coach and UFC registered their domains at Network Solutions, IID reports. "The criminals hijacked the domains by accessing the companies' domain management accounts at Network Solutions," the blog states. "It's currently unclear how they did so. In such cases, the cause is usually weak or compromised user passwords, or a website vulnerability at the registrar. Since very few registrars use multifactor authentication, this makes taking over domain names almost trivially easy for any hacker."

Companies should have their domains registered at a corporate domain registrar, rather than a registrar that caters primarily to individuals, IID advises. "[Corporate] registrars have designed their services to serve companies, and provide levels of security and service that make it much more difficult for an attacked to hijack your domain," the blog says. "If your corporate domains are registered at consumer-focused registrars like GoDaddy, Network Solutions, and Register.com, then you are much more vulnerable to attack."

Companies also should continuously monitor their DNSes so they can be immediately alerted of attacks, says IID, which offers such a monitoring service.

Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
2/1/2012 | 11:26:58 PM
re: Hacktivists Turn To DNS Hijacking
Joe, registering your domain using a corporate domain registrar doesn't necessarily solve this issue...
User Rank: Apprentice
1/30/2012 | 4:52:15 AM
re: Hacktivists Turn To DNS Hijacking
I have also read about this.And yes,this can be solved through by which that particular company should have their domain registered at a corporate domain.
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-15
An issue was discovered in Zulip Server before 3.4. A bug in the implementation of replies to messages sent by outgoing webhooks to private streams meant that an outgoing webhook bot could be used to send messages to private streams that the user was not intended to be able to send messages to.
PUBLISHED: 2021-04-15
An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the can_forge_sender permission (previously is_api_super_user) resulted in users with this permission being able to send messages appearing as if sent by a system bot, including to other organizations hosted by the sa...
PUBLISHED: 2021-04-15
An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the all_public_streams API feature resulted in guest users being able to receive message traffic to public streams that should have been only accessible to members of the organization.
PUBLISHED: 2021-04-15
In the topic moving API in Zulip Server 3.x before 3.4, organization administrators were able to move messages to streams in other organizations hosted by the same Zulip installation.
PUBLISHED: 2021-04-15
The issue navigation and search view in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.1 allows remote attackers to inject arbitrary HTML or JavaScript via a DOM Cross-Site Scripting (XSS) vulnerability caused ...