Hackers try to hijack Facebook, other high profile domains through registrar
Some registration information for facebook.com was changed, but the domain was not redirected to an unauthorized server
IDG News Service - The Syrian Electronic Army (SEA), a group of hackers that has hijacked other high-profile domain names, managed to change the domain registration information for Facebook.com, but failed to redirect the domain to a different server.
The hackers posted screen shots Thursday on Twitter from what appeared to be the administration panel of a San Francisco-based company called MarkMonitor that manages domain names on behalf of large enterprises. The company's services focus on online brand protection and anticounterfeiting.
MarkMonitor's domain management service "ensures domains are safe with a 'hardened' portal and a full suite of premium security solutions, including advanced security measures at the registrar level -- and, security services to lock domains down to the registry level," the company's website says.
It seems that SEA targeted MarkMonitor in order to attack Facebook in particular as the company celebrated its 10th anniversary Tuesday. The group used the MarkMonitor control panel to modify the WHOIS information for facebook.com, changing the domain's contact address to Damscus, Syria.
The hackers failed to modify the domain's DNS (domain name system) settings and point the website to a server under their control, as they did in the past with the domain names of other companies. That's because facebook.com has a registry lock in place, a feature that requires additional human-based verification at the registry level for making changes to a domain name. The registry for the .com TLD zone is VeriSign.
It's not clear how SEA obtained access to the MarkMonitor control panel, but from other screen shots published by the hackers, the panel also gave them access to the domain names of Amazon, Google, Yahoo and many other well-known companies from different industries.
Domain whois queries for amazon.com, google.com and yahoo.com all show MarkMonitor as the registrar, but like facebook.com, all of those domain name have the "clientUpdateProhibited" flag which indicates the presence of a registry lock. This means SEA wouldn't have been able to hijack those domain names either.
MarkMonitor, which is owned by Thomson Reuters, did not immediately respond to an inquiry seeking more information about the attack.
Facebook declined to comment, but its domain's whois information was quickly corrected following the incident.
SEA's modus operandi involves launching spear phishing attacks against employees of the companies they target in order to obtain sensitive credentials. Spear phishing is a targeted form of phishing, which involves tricking people into divulging their login information or installing malicious software.
In August the hacker group used phishing to compromise a reseller account at an Australian domain registrar and IT services company called Melbourne IT. The hackers used the account to change the name server records for several domains including nytimes.com, sharethis.com, huffingtonpost.co.uk, twitter.co.uk and twimg.com.
- Using Cyber Insurance and Cybercrime Data to Limit Your Business Risk This paper examines the challenges of understanding cyber risks, the importance of having the right cyber risk intelligence, and how to use this...
- 5 Tips to Secure Small Business Backdoors in the Enterprise Supply Chain This paper examines the insecurity of the small businesses in the supply chain and offers tips to close those backdoors into the enterprise.
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- NSS Labs & Cisco Present: Evaluating Leading Breach Detection Systems Today's constantly evolving advanced malware and APTs can evade point-in-time defenses to penetrate networks. Security professionals must evolve their strategy in lockstep to... All Cybercrime and Hacking White Papers | Webcasts