Attackers Using DNS Poisoning to Hijack Website Domains, Divert Traffic
Instead of just launching distributed denial-of-service attacks, cyber-attackers have started hijacking domain names and redirecting traffic from legitimate sites to malicious ones.
The hacker group Anonymous recently managed to hijack the Domain Name System record for CBS.com and redirected all traffic to another Web server that displayed an empty directory structure. It appeared as if the contents of CBS.com had been wiped, but it was actually a different server altogether. CBS.com managed to regain control of its domain after the DNS poisoning attack.
A group of attackers called UGNazi, which may or may not have Anonymous sympathies, was behind a similar attack on the Website of the Ultimate Fighting Championship over the weekend. The UFC had supported the controversial Stop Online Piracy Act and Protect IP Act bills, which are now temporarily shelved in Congress. The same group hijacked two domains belonging to luxury handbag and leather goods retailer Coach and diverted the traffic.
"We arn't done...not even close," the attackers wrote on their Website. A short list of "targets" on the site explained the attacks were a result of the organizations' support of SOPA.
All DNS hijack attacks thus far have been detected and fixed within hours. Coach had help from the hosting company of the Website which was suddenly receiving the diverted traffic, who helped identify the problem so it could be fixed.
"Both Coach and UFC got lucky that the hacktivist criminals are apparently inexperienced in the matter of DNS hijackings, which made it relatively easy to mitigate the attacks," Lars Harvey, CEO and co-founder of Internet Identity, wrote on the IID blog.
Both Coach and UFC registered their domains through Network Solutions. It was evident the attackers had accessed Network Solutions' domain management accounts, according to Harvey. While it was unclear how they had done so, the cause is usually weak or compromised user passwords or a vulnerability in the registrar's Website, Harvey said.
Organizations should register domains at corporate-focused registrars instead of consumer-focused ones because the former are more likely to have security measures in place to detect these kinds of hijackings, according to Harvey. Organizations should also continuously monitor the DNS to notice an attack in progress.
SOPA-related attacks continued this week and don't appear to be abating. Anonymous attacked OnGuardOnline, a government-managed Website devoted to keeping users secure online. Some Anonymous members said the OnGuardOnline attack was in retaliation for SOPA and PIPA, as well as the proposed international agreement on combating online piracy, according to a message posted Jan. 23 on text-sharing site Pastebin,.
"If SOPA/PIPA/ACTA passes we will wage a relentless war against the corporate Internet, destroying dozens upon dozens of government and company Websites," the message read.
Both houses of Congress have already agreed to shelve Stop Online Piracy Act and the Protect IP Act and start over on anti-piracy legislation, although some lawmakers still support the original legislation. The Anti-Counterfeiting Trade Agreement is a proposed international agreement to establish standards on how to enforce IP rights. The U.S. is a signatory, as is France.
OnGuardOnline.gov remained offline as of Wednesday afternoon Eastern time.
The FTC confirmed the attack. "The site has been taken down and will be brought back up when we're satisfied that any vulnerability has been addressed," the FTC said in a statement.
Managed by the Federal Trade Commission, OnGuardOnline.gov is a partnership of 14 federal agencies to help users be safe, secure and responsible online. The departments of Homeland Security, Commerce, Education, Justice and State, Commodity Futures Trading Commission, Consumer Financial Protection Bureau, Federal Communication Commission, Federal Deposit Insurance Corporation, Information Assurance Support Environment, Internal Revenue Service, Naval Criminal Investigation Service, Securities and Exchange Commission, Army Criminal Investigation Command and the U.S. Postal Inspection Service are part of the initiative.
The post hinted the attackers had obtained passwords and personal details from various sources which have not yet been dumped online.