751 Domains Hijacked to Redirect Traffic to Exploit Kits

Solarquest

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
On July 7, French domain registrar Gandi lost control over 751 customer domains, which had their DNS records altered to point incoming traffic to websites hosting exploits kits.

The domain hijacking was active for only a few hours, between 12:50 UTC and 13:30 UTC, albeit the DNS records of some domains propagated slower and they still redirected user traffic up until 18:02 UTC.

Attacker obtained one of Gandi's passwords
In a report detailing the incident, Gandi's staff say the hijack was possible because an attacker was able to get their hands on one of the passwords for a backend provided by one of Gandi's technical partners.
The compromised credentials allowed Gandhi's staff and other automated systems to connect to a backend and manage DNS details for 34 TLD extensions. The full list of affected TLDs includes:

.ASIA, .AT, .AU, .CAT, .CH, .CM, .CZ, .ES, .GR, .HK, .IM, .IT, .JP, .LA, .LI, .LT, .LV, .MG, .MS, .MU, .NL, .NU, .NZ, .PE, .PH, .PL, .RO, .RU, .SE, .SH, .SI, .SX, .UA, .XN–P1AI (.рф).
Gandi was adamant that they didn't suffer a breach, and suspect that the technical partner was to blame.

"We strongly suspect they were obtained from an insecure connection to our technical partner’s web portal," the Gandi team said, "the web platform in question allows access via http."

Traffic redirected to exploit kits. Email traffic left alone.

....
 
  • Like
Reactions: tonibalas

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top