Internet Identity

Hacktivists have started hijacking domain names, and that is not a good thing.  DNS hijacks redirect all the traffic from their legitimate websites (and often all the e-mail and back-end transactions too) to a destination of the attacker's choosing.  A determined criminal can set up a fake look-alike destination site to dupe customers into revealing credentials or downloading malware.

Many companies pay little if any attention to securing their domain registrations, and most do not continuously monitor their DNS to make sure it is resolving properly around the world. So they are both vulnerable to attacks and blind to attacks when they happen.  The first indication most victims have of a DNS hijack is that their website traffic slows to a trickle. Then they have to figure out why, and DNS is rarely the first thing they think of, which lengthens the time to mitigate the attack.

High profile brands the latest victims due to their lobbying efforts

On Sunday, the domain name UFC.com was hijacked by a hacktivist group that apparently didn't like the mixed-martial arts fighting organization's support of the SOPA/PIPA bills. Then on Monday evening that same group, called UGNazi, hijacked two domain names, coach.com and coachfactory.com, belonging to luxury goods maker Coach Inc. for the same reason.  (None of the websites were "hacked" or compromised as many online reports suggest.) Thankfully, both DNS hijack attacks were defeated within a few hours.  In the Coach case, it appears that the legitimate hosting company where the hijacked domain was redirected to noticed the large influx of new traffic, quickly determined its nefarious source and helped get the problem fixed. Kudos to them for the excellent incident response!

Both Coach and UFC got lucky that the hacktivist criminals are apparently inexperienced in the matter of DNS hijackings, which made it relatively easy to mitigate the attacks.  I won't go into details here.  We'll make the bad guys figure it out for themselves how to improve their attacks. (Unfortunately, they will.)

Both Coach and UFC had their domains registered at Network Solutions. The criminals hijacked the domains by accessing the companies' domain management accounts at Network Solutions. It's currently unclear how they did so. In such cases, the cause is usually weak or compromised user passwords or a website vulnerability at the registrar.  Since very few registrars use multi-factor authentication, this makes taking over domain names almost trivially easy for any hacker.

What to do

We've said this before, and we'll probably say it many times again.  Every company that relies on its domain name(s) for significant business activity should have its domains registered at a corporate domain registrar, like our partners Corporation Service Company and Safenames.  Such registrars have designed their services to serve companies, and provide levels of security and service that make it much more difficult for an attacked to hijack your domain. If your corporate domains are registered at consumer-focused registrars like GoDaddy, Network Solutions, and Register.com, then you are much more vulnerable to attack simply due to the fact that their business models don't allow for them to be protective enough of your corporate domain registrations.

The other protective measure is to continuously monitor your DNS so that you are immediately aware of attacks.  IID's ActiveTrust DNS service does just that, plus has our 24/7 incident response experts standing at the ready to mitigate attacks as soon as they occur.

Another group of criminals has discovered how easy and powerful DNS hijacks can be.  There will be more.