At least three high-profile websites that receive services from Network Solutions have been hijacked in recent days in attacks that are prompting speculation that the compromises are the result of a security lapse inside the popular domain registrar and Web host.
Competing antivirus providers Avira and AVG are confirmed to have been hit, as was messaging software developer Whatsapp. Alexa and Redtube have also been reported to be struck by the same attackers, although that claim wasn’t verified. All five websites rely on services from Network Solutions, which is owned by Web.com. At least some of the victims report losing control of the domain name system (DNS) servers used to route Internet traffic, a lapse that made it possible for hackers to redirect e-mail and Web traffic to malicious servers.
“It appears that our account used to manage DNS records registered at Network Solutions has received a fake password-reset request which was honored by the provider,” Avira officials wrote in ablog post published Tuesday. “Using the new credentials, the cybercriminals have been able to change the entries to point to their DNS servers.”
Johannes Ullrich, CTO of the SANS Technology Institute, said he saw a screenshot confirming that AVG’s site was similarly redirected and that Whatsapp was “apparently a third victim of this attack.” Other sources also reported that Whatsapp was hijacked. By taking control of the name server (NS) records, the attackers were able to redirect people trying to visit those sites to a server that displayed pro-Palestinian propaganda. The hijacking has the potential to be much more serious than a mere defacement prank since it can affect the servers that receive e-mail and interact with software customers.
“Once an attacker has control of the NS records, they may also change MX [mail exchange] records and redirect e-mail, or, in the case of an antivirus company like Avira, change the addresses used to download signature updates,” Ullrich wrote. Many software applications rely on cryptographic signatures to certify that a server is valid before accepting updates, so it’s possible such an attack wasn’t possible on Avira or AVG. Even with such protections in place, however, the ability of hackers to impersonate any of a company’s servers is always a risk to end users.
Officials at Web.com didn’t respond to a phone message asking if they are aware of the attacks and the report from Avira that the breach it experienced originated with Network Solutions‘ password reset function. This post will be updated if representatives reply later.
On Sunday, hosting firm Leaseweb also reported that its website was hijacked through DNS redirection. During the compromise, some people trying to visit leaseweb.com were directed to a non-Leaseweb server. E-mails sent to leaseweb.com addresses were also not received by the proper machine. Internet records showed the Leaseweb registrar isn’t Network Solutions. Beyond its use of DNS redirection, it’s unclear if the Leaseweb compromise had any relation to the other hijackings.