[dns-operations] DNS hijack - AVG, Avira and WhatsApp sites affected - seems to be a registrar compromise

[Dan York]

I noticed this article posted on Tuesday on The Register:

http://www.theregister.co.uk/2013/10/08/dns_hijack_attack_spree

which also points to these stories:

http://grahamcluley.com/2013/10/avg-website-palestinian-hackers/
http://grahamcluley.com/2013/10/whatsapp-hacked-offline/

and it appears that early the hosting firm LeaseWeb had a similar DNS hijack:

http://blog.leaseweb.com/2013/10/06/statement-on-dns-hijack-of-leaseweb-com-website/

>From what I gather from various reports the first three (AVG, Avira and WhatsApp) seem to be due to the registrar, Network Solutions, accepting a fake password-reset request.  As reported in the first grahamcluley article, a spokesperson from Avira said:
----
It appears that our account used to manage the DNS records registered at Network Solutions has received a fake password-reset request not being initiated by anyone at Avira.

Network Solutions appears to have honored this request and allowed a 3rd party to assume control of our DNS. Using the new credentials the cybercriminals have been able to change the entries to point to their DNS servers.
----

If this is the case for all of these, there's nothing that DNSSEC or anything else could have done here as the attackers are gaining full access to the domain registrants DNS records and can modify them as they wish.

Dan

--
Dan York
Senior Content Strategist, Internet Society
york at isoc.org <mailto:york at isoc.org>   +1-802-735-1624
Jabber: york at jabber.isoc.org <mailto:york at jabber.isoc.org>
Skype: danyork   http://twitter.com/danyork

http://www.internetsociety.org/deploy360/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20131010/caae07f7/attachment.html>