Akamai Diversity

The Akamai Blog

Q1 2015 SOTI Preview: Website Defacements and DNS Hijacking

The Q1 2015 State of the Internet - Security Report is due out next month, and we think the week of RSA Conference 2015 is a good time to start previewing sections.

Yesterday we reviewed the potential security risks of widespread IPv6 adoption. Today, we look at the continuing trend of website defacements and DNS Hijacking.

In Q1 2015, Akamai tracked and offered defensive measures for mass website defacements and DNS hijacking.

Website defacements
Akamai saw multiple media reports where a group claimed to hack hundreds or thousands of sites in a single night. The intent was to instill a sense of widespread unease to the casual observer.

When we looked a little closer, we saw that there was more to it. One can rightly assume that many of these have been done through a type of automation. But when we looked more closely, we saw something else interesting about the attacks.

Looking at the IP address for the hundreds of web sites affected, we noticed that many and sometimes all of them had the same IP address. This led us to believe the sites are running on the same server.

DNS Hijacking
Early in the quarter, Akamai CSIRT observed attacks that can bypass even the best security protections and give attackers the keys to the victim's kingdom. That attack is called DNS Hijacking. This happens when attackers gain access to a domain registrar account and change the DNS resource records to point to server(s) under the attacker's control.

Domain registration compromises expose a threat which has high repercussions for a relatively small number of targets. The targets of spear-phishing attempts include IT, Finance and HR staff who have access to domain registration accounts. Very often, this access is gained by phishing email credentials from a site's domain administrator. Once they have the credentials, the attacker can perform a password reset on the registrar's site.

With the new password and administrative access, the attacker will log in to the registrar and make changes to NS records which provide resource records for web servers and mail servers. When under the control of attackers, all requests to websites and email can be under the control of the attack which includes all email and web traffic for a given domain.

When the NS records are under the attacker's control web and email traffic can be redirected to any IP address controlled by the attackers. Often the NS records have a long TTL (24-48 hours) so that the effects of a compromised registrar attack can have effects up to the TTL of the NS records.

We have seen instances where the attackers modified the entire zone file, including MX (mail exchange) records, providing the attackers access to any mail sent to the target of the attack. In addition to information leakage via email, the attackers can also use this access to trigger password resets on other services and compromise them as well. With the ability to intercept password reset attempts the attackers will attempt to maintain control over all administrative accounts for a given domain name.

To read the full story, pre-register for your copy of the Q1 2015 State of the Internet - Security Report.