[dns-operations] DNS hijack - AVG, Avira and WhatsApp sites affected - seems to be a registrar compromise

Marco Davids (SIDN) marco.davids at sidn.nl
Thu Oct 10 16:07:15 UTC 2013


On 10/10/13 5:43 PM, Dan York wrote:

>From what I gather from various reports the first three (AVG, Avira and
> WhatsApp) seem to be due to the registrar, Network Solutions, accepting
> a fake password-reset request. 

> If this is the case for all of these,

It is the case indeed, I am afraid. DNS hijacking via registrar/registry
systems seems to be very popular these days.

BTW, here's the statement of Leaseweb:

http://blog.leaseweb.com/2013/10/06/statement-on-dns-hijack-of-leaseweb-com-website/

> there's nothing that DNSSEC or anything else could have done here 

Not entirely true. Some form of domain-locking might have helped. For
instance, we offer a protection-service, called .nl-control, where we
actually block any automated change until a few recognized
representatives have given explicit permission, both orally and in writing.

But, having said that, I am still quite concerned about this relatively
new trend. I'm afraid it won't stop here.

Regards,

--
Marco




More information about the dns-operations mailing list