DNS Hijacking

Attacking web sites by going to the source, targeting DNS servers rather than the web sites themselves shows both the boldness of hackers as well as the fragility of the Internet.

While not new, DNS hijacking attacks took an important turn this year showing how much we rely on the web and now little we care for its protection. In the past DNS hijacking required complete control over the DNS server. In recent years most applications are controlled through a web interface, including DNS servers. Earlier this year attackers found an XSS vulnerability in a common DNS platform to hijack unused DNS entries for phishing

But this was only a small prelude to the real thing. CNet reports that this time hackers took over an entire TLD (Top Level Domain, or country) DNS server using SQL injection, virtually defacing the Puerto Rican site of companies such as Google and Microsoft.

The amazing story unfolds in the comments to CNet story, which outlines a mischievous professor and slow authorities who let him privatize and monetize on domain registration in Puerto Rico without any control.

The question we are left with is whether other countries and geographies different? Or even other industries for that matter?

Netcraft, one of the leading authorities on phising research, reports a Phishing scam that involves XSS.

In an attack with an alarming similarity to the COX incident (WHID 2008-45), but with a far greater potential damage, hackers changes the DNS records for CheckFree, the largest bill payment service in the USA. Customers where redirected to servers in the Ukraine, which attempted to install a password login software on their computers.

The change was done using correct credentials to login to the administrative web site of Network Solutions, CheckFree domain registrar. It is yet unknown how the hackers got the credentials. Since Phishing attacks against domain registrars including Network Solutions have started to surface recently, a good guess is that it was through a Phishing attack.

According to CheckFree report to the authorities, it estimates that around 160,000 customers where expoesed to the attack, and informed 5 million potential victims who may have been among this group.

Additional information:

• The Washington Post's analysis of the incident

Update (Jan 13^th 2009) - Ynet, an Israeli paper, reports that many of the sites defaced where actually DNS hijacked following a break-in to the servers of DomainTheNet, an Israeli registrar. And just like other recent DNS hijacking incidents, the fault was lack of sufficient authentications and the hackers got hold of passwords to the administration system.