Group-IB warned more frequent cases of theft of domain names. Popular international and Russian hosting providers have at least 30,500 domains at risk. The hijacked resources are most often used for phishing attacks, financial fraud, sending malware, or infecting visitors.
This fall, while researching numerous phishing sites targeting clients of one of the major Russian banks, the company's analysts drew attention to an interesting detail: the attackers did not use resources created from scratch and hacked, but legitimate domains in the .RU, .SU and .РФ belonging to both ordinary users and companies.
One of these sites, medknizhka-tver.rf, appeared in the spring of 2019 to advertise medical services, but in August of this year all legal content was removed from it, but an announcement of a non-existent action appeared on behalf of one of the major Russian banks: traditionally for the users were promised 2020 rubles to complete the survey. As a result, answering simple questions, at the end the user had to enter the bank card details and CVC CVV, ostensibly to transfer money to him.
It was misleading that the domain name of the resource was completely legal and was paid for until May 2021, but the owner's hosting account expired, and the attackers took advantage of this.
Having discovered several hundred such phishing resources located on legitimate domains, Group-IB specialists established how the domain hijacking scheme operated. The victims were the owners of those domain names that were paid for and were not blocked by the registrar, but were not tied to the hosting account.
This happens in two cases: the domain is forgotten or bought out quite recently. Attackers maintain a database of such domains and place their content on the servers of Internet providers using someone else's domain. The whole interception procedure takes from 30 minutes to several hours.
After these simple manipulations, the hijackers can place their own content on the captured site, create mail in order to use the resource for financial fraud – stealing money and bank card data, sending letters with a malicious attachment, or infecting visitors of a compromised site with banking Trojans, spyware, ransomware (through attacks type watering hole).
For the purity of the experiment, the analysts prepared a trap – they registered a domain name suitable for hijacking and indicated the NS records of one of the most popular hosting providers. Less than a few days later, the hijackers discovered the "ownerless" domain, moved it to their hosting provider and placed their content on it.
After checking a sample of 3,200,000 domains from the largest Russian and international hosting providers, the experts identified about 30,500 belonging to the "risk group" – those domains that cybercriminals can easily hijack.
Interestingly, some foreign hosting providers use various technologies to avoid or significantly complicate the seizure of legal domain names. For example, some hosters use a wide network of NS servers, which are presented to the user in an unpredictable way – because of the randomness of the choice of possible entries, it is difficult for an attacker to join the domain to the hosting. Other hosters maintain their own databases of customer domains: if a domain name was previously linked to another hosting account, it is no longer possible to re-link it to a new account.
“The danger of this scheme is that it allows you to place someone else's content on a domain without the owner's knowledge and without any notification from the hosting provider. CERT-GIB has warned of the existence of a similar problem to all hosting providers who have found a similar vulnerability. Preventing such domain hijacking can lead to a significant reduction in phishing content, as well as the spread of malicious programs and spam mailings on the Internet, ”comments Alexander Kalinin, head of CERT-GIB.
To avoid domain hijacking, experts recommend following these simple procedures. If the payment term for the hosting account is coming to an end, and no one plans to renew it, you should completely delete the current NS records in the personal account of the domain name registrar. At risk are also the owners of domain names, who pre-register the hosting provider's NS records in the registrar's personal account before linking the domain itself to the hosting account.