Political hacktivists have once again hijacked a prominent website. The attack vector, however, is surprising. They did it by fax. Yes – you read that correctly. A change request was faxed to the Domain Name Services (DNS) Registrar, who maintained the DNS server registry for the site. As a result, the IP addresses for the web servers hosting the Metasploit website, owned by Rapid 7, were redirected. The redirect delivered Web pages pushing a pro-Palestinian political agenda. The good news is that the intent was obvious and political as opposed to covertly malicious. Imagine being on an imitation website that a Web visitor believes is yours.
The list of recent DNS server hacks is growing. Several weeks ago, Google’s site in Malaysia was hacked by a Pakistani activist group. That hack was of the same variety as the one used to redirect the New York Times website just about a month ago. In these incidents, the hackers apparently spear phished login credentials from staffers at the registrar. Armed with those credentials, they accessed the DNS registries and changed the IP addresses to point at Web pages they controlled. I wonder how often this happens, and no one reports the incident or believes it was a mistake.
These DNS address change exploits are reminiscent of the first wave of financial account takeover and credit card fraud of about a decade ago. Fraudsters would surface mail or phone a financial institution with a request to change the address to which a statement was being mailed. Such a request used to be handled without much thought to validating the request with the account owner. Once the fraudster received a hard copy of a statement, it was not difficult to order checks, apply for additional credit cards and otherwise abuse the account and credit of the legitimate owner. It seems no successful hack ever dies; it simply evolves with the rest of the technology.
To counter the type of fraud initiated by pretext phone calls or mailings to financial institutions, the Gramm Leach Bliley Act included a section: 15 USC § 6821 - Privacy protection for customer information of financial institutions. This section specifically prohibited financial institutions from initiating and finalizing changes to address information without first confirming the request. The confirmation was required to be done via a communication channel other than the one through which the request was made. Effectively, if the request was via mail, call the account owner on the phone to verify the request. If the request was via phone call – mail a confirmation to the existing address and account owner. An alternative would be to reach the account owner at a different phone number trusted to belong to them. An example of this would be placing a call to their business phone in order to confirm the change request.
It is doubtful legislation is required to fight these DNS address hacks, but the hack is almost too easy. It may be time for website owners to apply pressure on their DNS registrars to confirm requests for IP address changes before they are made in production environments. Customers might want to inquire what levels of authentication are required for login to administrator accounts capable of making such changes. Many financial institutions automatically require a security review and a copy of a written security policy from their vendors providing online services.
There are other defenses, however. There are products that permit DNS servers and IP address resolution to be monitored in real time. It is also possible to lock the IP address for a domain name and limit the ability of the registrar or anyone else to make a change. Ask the registrar if adding phone-based, two-factor authentication to this locking function is available. There is a big advantage to this type of authentication process. You’ll be alerted if someone else is attempting to unlock your account.
If this can happen to an outlet for the largest property on the Web, it can happen to anyone. The cybercriminals have heavily targeted small and medium businesses for financial fraud. It would not be surprising to see this exploit migrate in that direction. Also likely, it’s just a matter of time before this type of exploit migrates from political to profit motives.
John Zurawski is the vice president of Authentify, which pioneered telephone-based-out-of-band authentication services, and offers online banking security services.