More than a million domain names — including many sign uped by Fortune 100 firms and brand protection companies — are vulnerable to apexhibitover by cybercriminals thanks to authentication frailnesses at a number of huge web presenting providers and domain registrars, recent research discovers.
Your Web browser understands how to discover a site enjoy example.com thanks to the global Domain Name System (DNS), which serves as a benevolent of phone book for the Internet by translating human-cordial website names (example.com) into numeric Internet insertresses.
When someone sign ups a domain name, the registrar will typicpartner provide two sets of DNS write downs that the customer then insists to scheduleate to their domain. Those write downs are vital becaparticipate they apexhibit Web browsers to discover the Internet insertress of the presenting provider that is serving that domain.
But potential problems can materialize when a domain’s DNS write downs are “feeble,” unbenevolenting the authoritative name server does not have enough inestablishation about the domain and can’t rerepair queries to discover it. A domain can become feeble in a variety of ways, such as when it is not scheduleateed an Internet insertress, or becaparticipate the name servers in the domain’s authoritative write down are misconfigured or missing.
The reason feeble domains are problematic is that a number of Web presenting and DNS providers apexhibit participaters to claim handle over a domain without accessing the real owner’s account at their DNS provider or registrar.
If this danger sounds understandn, that’s becaparticipate it is difficultly recent. Back in 2019, KrebsOnSecurity wrote about thieves participateing this method to seize handle over thousands of domains sign uped at GoDinserty, and using those to sfinish device device dangers and intimacytortion emails (GoDinserty says they repaired that frailness in their systems not lengthy after that 2019 story).
In the 2019 campaign, the spammers produced accounts on GoDinserty and were able to apexhibit over vulnerable domains srecommend by sign uping a free account at GoDinserty and being scheduleateed the same DNS servers as the hijacked domain.
Three years before that, the same pervasive frailness was depictd in a blog post by security researcher Matthew Bryant, who showed how one could ordereer at least 120,000 domains via DNS frailnesses at some of the world’s hugest presenting providers.
Incredibly, recent research fusetly freed today by security experts at Infoblox and Eclypsium discovers this same authentication frailness is still contransient at a number of huge presenting and DNS providers.
“It’s plain to take advantage of, very difficult to distinguish, and it’s enticount on impedeable,” shelp Dave Mitchell, principal danger researcher at Infoblox. “Free services produce it easier [to exploit] at scale. And the bulk of these are at a handful of DNS providers.”
SITTING DUCKS
Infoblox’s tell set up there are multiple cybercriminal groups abusing these stolen domains as a globpartner dispensed “traffic distribution system,” which can be participated to mask the real source or destination of web traffic and to funnel Web participaters to harmful or phishous websites.
Commandeering domains this way also can apexhibit thieves to impersonate count oned brands and misparticipate their selectimistic or at least unpartisan reputation when sfinishing email from those domains, as we saw in 2019 with the GoDinserty aggressions.
“Hijacked domains have been participated honestly in fraud aggressions and frauds, as well as huge spam systems,” reads the Infoblox tell, which refers to feeble domains as “Sitting Ducks.” “There is evidence that some domains were participated for Cobalt Strike and other harmful programs order and handle (C2). Other aggressions have participated hijacked domains in focparticipated fraud aggressions by creating seeaenjoy subdomains. A scant actors have stockpiled hijacked domains for an confparticipate purpose.”
Eclypsium researchers appraise there are currently about one million Sitting Duck domains, and that at least 30,000 of them have been hijacked for harmful participate since 2019.
“As of the time of writing, many DNS providers allow this thraw frail or noncontransient verification of domain ownership for a given account,” Eclypsium wrote.
The security firms shelp they set up a number of agreed Sitting Duck domains were originpartner sign uped by brand protection companies that exceptionalize in defensive domain registrations (reserving see-aenjoy domains for top brands before those names can be grabbed by fraudmers) and combating tradetag infringement.
For example, Infoblox set up cybercriminal groups using a Sitting Duck domain called clickermediacorp[.]com, which was a CBS Interenergetic Inc. domain initipartner sign uped in 2009 at GoDinserty. However, in 2010 the DNS was refreshd to DNSMadeEasy.com servers, and in 2012 the domain was transferred to MarkMonitor.
Another hijacked Sitting Duck domain — anti-fraud[.]org — was sign uped in 2003 by the Anti-Phishing Working Group (APWG), a cybersecurity not-for-profit organization that seally tracks fraud aggressions.
In many cases, the researchers uncovered Sitting Duck domains that materialize to have been configured to auto-rerecent at the registrar, but the authoritative DNS or presenting services were not rerecented.
The researchers say Sitting Duck domains all own three attributes that produces them vulnerable to apexhibitover:
1) the domain participates or assigns authoritative DNS services to a contrastent provider than the domain registrar;
2) the authoritative name server(s) for the domain does not have inestablishation about the Internet insertress the domain should point to;
3) the authoritative DNS provider is “take advantage ofable,” i.e. an aggressioner can claim the domain at the provider and set up DNS write downs without access to the valid domain owner’s account at the domain registrar.
How does one understand whether a DNS provider is take advantage ofable? There is a widespreadly refreshd catalog unveiled on GitHub called “Can I apexhibit over DNS,” which has been write downing take advantage ofability by DNS provider over the past cut offal years. The catalog integrates examples for each of the named DNS providers.
In the case of the aforerefered Sitting Duck domain clickermediacorp[.]com, the domain materializes to have been hijacked by fraudmers by claiming it at the web presenting firm DNSMadeEasy, which is owned by Digicert, one of the industry’s hugest publishrs of digital certificates (SSL/TLS certificates).
In an intersee with KrebsOnSecurity, DNSMadeEasy set uper and anciaccess vice plivent Steve Job shelp the problem isn’t repartner his company’s to repair, noting that DNS providers who are also not domain registrars have no authentic way of validating whether a given customer legitimately owns the domain being claimed.
“We do shut down abusive accounts when we discover them,” Job shelp. “But it’s my belief that the onus insists to be on the [domain registrants] themselves. If you’re going to buy someleang and point it somewhere you have no handle over, we can’t impede that.”
Infoblox, Eclypsium, and the DNS wiki cataloging at Github all say that web presenting enormous Digital Ocean is among the vulnerable presenting firms. In response to asks, Digital Ocean shelp it was exploring selections for mitigating such activity.
“The DigitalOcean DNS service is not authoritative, and we are not a domain registrar,” Digital Ocean wrote in an emailed response. “Where a domain owner has assignd authority to our DNS infraset up with their registrar, and they have apexhibited their ownership of that DNS write down in our infraset up to lapse, that becomes a ‘feeble delegation’ under this hijack model. We apexhibit the root caparticipate, ultimately, is subpar handlement of domain name configuration by the owner, akin to leaving your keys in your unlocked car, but we acunderstandledge the opportunity to adfair our non-authoritative DNS service protectrails in an effort to help reduce the impact of a lapse in hygiene at the authoritative DNS level. We’re combiinsist with the research teams to scrutinize insertitional mitigation selections.”
In a statement provided to KrebsOnSecurity, the presenting provider and registrar Hostinger shelp they were laboring to carry out a solution to impede feeble duck aggressions in the “upcoming weeks.”
“We are laboring on carry outing an SOA-based domain verification system,” Hostinger wrote. “Custom nameservers with a Start of Authority (SOA) write down will be participated to validate whether the domain truly belengthys to the customer. We aim to begin this participater-cordial solution by the finish of August. The final step is to deprecate pscrutinize domains, a functionality sometimes participated by customers with harmful intents. Pscrutinize domains will be deprecated by the finish of September. Legitimate participaters will be able to participate randomly produced transient subdomains instead.”
What did DNS providers that have struggled with this publish in the past do to insertress these authentication disputes? The security firms shelp that to claim a domain name, the best rehearse providers gave the account hanciaccesser random name servers that insistd a alter at the registrar before the domains could go live. They also set up the best rehearse providers participated various mechanisms to determine that the recently scheduleateed name server presents did not align previous name server scheduleatements.
[Side remark: Infoblox watchd that many of the hijacked domains were being presented at Stark Industries Solutions, a sprawling presenting provider that materializeed two weeks before Russia occupyd Ukraine and has become the epicaccess of countless cyberaggressions aachievest enemies of Russia].
Both Infoblox and Eclypsium shelp that without more cooperation and less finger-pointing by all sapexhibithanciaccessers in the global DNS, aggressions on sitting duck domains will progress to elevate, with domain registrants and standard Internet participaters caught in the middle.
“Government organizations, regulators, and standards bodies should consider lengthy-term solutions to vulnerabilities in the DNS handlement aggression surface,” the Infoblox tell finishs.