Hacktivists Turn to DNS Hijacking

Written by Lars Harvey Tuesday, 24 January 2012 10:23

Hacktivists have started hijacking domain names, and that is not a good thing.  DNS hijacks redirect all the traffic from their legitimate websites (and often all the e-mail and back-end transactions too) to a destination of the attacker's choosing.  A determined criminal can set up a fake look-alike destination site to dupe customers into revealing credentials or downloading malware.

Many companies pay little if any attention to securing their domain registrations, and most do not continuously monitor their DNS to make sure it is resolving properly around the world. So they are both vulnerable to attacks and blind to attacks when they happen.  The first indication most victims have of a DNS hijack is that their website traffic slows to a trickle. Then they have to figure out why, and DNS is rarely the first thing they think of, which lengthens the time to mitigate the attack.

High profile brands the latest victims due to their lobbying efforts

On Sunday, the domain name UFC.com was hijacked by a hacktivist group that apparently didn't like the mixed-martial arts fighting organization's support of the SOPA/PIPA bills. Then on Monday evening that same group, called UGNazi, hijacked two domain names, coach.com and coachfactory.com, belonging to luxury goods maker Coach Inc. for the same reason.  (None of the websites were "hacked" or compromised as many online reports suggest.) Thankfully, both DNS hijack attacks were defeated within a few hours.  In the Coach case, it appears that the legitimate hosting company where the hijacked domain was redirected to noticed the large influx of new traffic, quickly determined its nefarious source and helped get the problem fixed. Kudos to them for the excellent incident response!

Both Coach and UFC got lucky that the hacktivist criminals are apparently inexperienced in the matter of DNS hijackings, which made it relatively easy to mitigate the attacks.  I won't go into details here.  We'll make the bad guys figure it out for themselves how to improve their attacks. (Unfortunately, they will.)

Both Coach and UFC had their domains registered at Network Solutions. The criminals hijacked the domains by accessing the companies' domain management accounts at Network Solutions. It's currently unclear how they did so. In such cases, the cause is usually weak or compromised user passwords or a website vulnerability at the registrar.  Since very few registrars use multi-factor authentication, this makes taking over domain names almost trivially easy for any hacker.

What to do

We've said this before, and we'll probably say it many times again.  Every company that relies on its domain name(s) for significant business activity should have its domains registered at a corporate domain registrar, like our partners Corporation Service Company and Safenames.  Such registrars have designed their services to serve companies, and provide levels of security and service that make it much more difficult for an attacked to hijack your domain. If your corporate domains are registered at consumer-focused registrars like GoDaddy, Network Solutions, and Register.com, then you are much more vulnerable to attack simply due to the fact that their business models don't allow for them to be protective enough of your corporate domain registrations.

The other protective measure is to continuously monitor your DNS so that you are immediately aware of attacks.  IID's ActiveTrust DNS service does just that, plus has our 24/7 incident response experts standing at the ready to mitigate attacks as soon as they occur.

Another group of criminals has discovered how easy and powerful DNS hijacks can be.  There will be more.

Driving victims to browser exploit attacks: the latest wave in social engineering spam

Written by Rod Rasmussen Wednesday, 04 January 2012 10:05

At the close of 2011, we saw many large organizations with popular, trusted brands and names being spoofed in massive spam campaigns in order to infect large numbers of users – primarily businesses, with several different malware exploits.  A sampling of those that are affected includes the Better Business Bureau (BBB), Bank of America, UPS, Amazon, Xerox, IRS, FDIC, Federal Reserve, Google, NACHA and several others.  Similarly, there have been waves of more “generic” spam lures spoofing “your bank”, “your friend in trouble”, or even “your printer”.   These lures don’t send victims to phishing sites, or even entice them to download some piece of software that turns out to be malware; rather, as soon as victims click on the link, their computers are likely to become infected, since the malicious sites they reach try a wide variety of exploit techniques to download malware automatically to the victims’ machines.

There are many different criminals and criminal groups involved in these attacks, using a variety of malicious Internet infrastructures that have been created by compromising thousands of machines around the world.  There are several distinct groups running these attacks, but the methods are similar, and in many cases, the tools and/or infrastructures used overlap, as there is an underground economy that supplies these elements to criminals looking to gain access to victims’ computers and ultimately information and/or credentials.  Some of these groups are particularly keen on getting onto machines in small/medium businesses to install Zeus or SpyEye, banking malware that allows the criminals to initiate ACH transfers from these accounts via online banking portals.  These attacks have been devastating to several small businesses in the past couple years: see http://krebsonsecurity.com/tag/ach-fraud/

How the attacks work

Spammers are luring victims through well-crafted emails that appear to be legitimate that ask the recipient to click on a link which leads them to a hacked website.  Code that has been inserted on that website by hackers then redirects them to a landing page which houses the exploit and drops the malware.  Often times there is more than one level of redirection involved, so a hacked site will forward to another hacked site, which will then redirect to the actual exploit site.  The so-called “landing page” with the actual malware is typically controlled directly by one of the criminal groups. Depending upon the network and the criminal using the infrastructure, their goals, and their current campaign, we are seeing many different types of malware dropped on the victims’ machines. 

The malware is installed immediately and without knowledge of the victim – a technique known as a “drive-by download”.  Some of the malware that we’re seeing from these exploits are Zeus, Bugat, Crydex, Fake AV, TDSS, Spyeye and Cutwail.  All of these malware families are well known and tracked by the anti-virus industry, but because of the constant changes the malware authors employ to disguise the malware, detection rates are very small when these lures go out, so most people who click on the link will get infected.

Please refer to our case study (PDF) on a recent campaign for a more in-depth view of how these campaigns work.

Once one of these malware types is installed, that computer is often deeply infected and may need to be “burned to the ground” or, at the very least, assessed by an IT professional to see if there the infected device is recoverable without a total wipe-and-rebuild.

(UPDATE 1/16/12: For an explanation of the vulnerabilities in Windows that the malware exploits, see the "Plenty to complain about with faux BBB spam" post by the Microsoft Malware Protection Center blog.)

This is a prolific, continuously reoccurring threat that many organizations have faced in the past few months.  It is our opinion that this is the direction we will see a lot of today’s more simple phishing attacks evolve towards, as it appears to have been very effective.  The problem with these types of exploits is that:

• These threats are virtually undetectable when they first come out by most anti-virus (AV) software and with the drive-by exploit techniques being used, most Windows-based machines will be infected just by visiting the site.
• Once installed, the malware will usually turn off any AV solution installed on that machine.
• These attacks do not represent new or unknown technology to law enforcement agencies and security companies.  Currently the FBI is working on these threats with a high priority, and we are actively assisting them in those efforts.  Security companies that offer traditional desktop AV software are also very aware of these threats and are doing the best that they can to combat it. Unfortunately, AV software is often updated too late to help against these large spam runs, as it often takes a day or more for AV companies to update for the new signatures that come along with each new attack wave.

We haven’t seen the massive attacks in the past two weeks because of the holidays and turn of the new year, but fully expect them to be resurrected.  Besides the holiday season, which it seems that cyber-criminals take time to enjoy as well, there may be a technical factor involved.  Most of these spam campaigns use Cutwail, and rumor has it that since Brian Krebs’ recent report on one of the major players behind Cutwail that the botnet has been lying low.  There are plenty of other spamming botnets out there however, and we fully expect Cutwail to be back as well.

Of course getting the word out about these campaigns and making sure people are aware that they shouldn’t even click on anything like this is a top priority – the infection rates we’ve seen from some client reports are phenomenally high, and awareness of this type of attack is still very low.

At this point in time, given the massive volume of lure sites we see, the most effective way of managing the actual threat sites is to go after the underlying infrastructure that supports the hundreds of compromised sites.  This would start at the heart of the set-up, the landing pages and the domains that enable them, as they are completely owned by the criminals.  When someone, be that IID or other security company, a victim company, a government organization, or volunteer do-gooder, get the bad domains and/or bad IPs which host the exploit sites taken down, then that cycle of infection is broken.

Even once the infection site is taken down, we will continue to see the malicious emails, and victims will still be able to go to the initial hacked websites. However, they will not be infected – unless the criminals go back and set up new redirects when they create a new underlying infrastructure.

If there are two levels of redirection used, then killing the intermediate redirection layer is also cost-effective, as again, the criminal is relying on that handful of sites to power hundreds of other compromised sites.  This approach hits the criminals the hardest, as they do have to invest a fair amount of time setting up each primary infrastructure set, while the infected “lure” sites can be bought in bulk and are essentially throw-aways.

It is important to note, though, that customer complaints to spoofed brands will likely not drop significantly if there are hundreds of lure sites still left around, but killing those hundreds of sites will take a significantly larger effort.  So it comes down to a resource-allocation decision – spend more time/money to do a full cleanup to curb the abuse and thus complaints, or absorb higher costs on the customer service/support side, plus any loss of business because of the lack of understanding of how e-mail spoofing works on the part of customers.

This last point is quite important – it is imperative to get good information about the true nature of these spam-to-malware attacks out to the front-line support people dealing with the onslaught, and of course to the victims sending in complaints.  Messaging to customers who complain should also explain any level of effort you engage in, but especially the fact you’re going after the malware exploit sites themselves.  It is also important to inform potential victims who write in that if they clicked on the link at all, they are likely to be infected because of the drive-by download nature of these sites. And let them know that if they’re a small business owner, they are at a high degree of danger due to the ability of criminals to use that malware to transfer money out of their online business banking accounts.