The attack creates/modifies .htaccess files to redirect site visitors that come from major search engines and popular websites (e.g. Twitter, Facebook, Wikipedia, Flickr, Ebay, etc) to scareware sites that aggressively push fake anti-virus software. The redirects also occur if visitors request unexisting pages or pages that produce server errors.
This .htaccess conditional redirect approach is nothing new. It has been actively exploited by hackers for at least couple of years (and Unmask Parasites does a good job of detecting such redirects). And while the .htaccess code in this particular case has some new features (maybe more about it next time), it isn’t the most interesting thing about this attack.
Thanks to the Google search suggested by Patrick (“main.php?e=4&h”) I was able to analyze the .htaccess code from multiple compromised sites. They all redirected to different scareware sites, but all those sites had similarly strange subdomains: www2, dns, ns1, ns2.
Here’s a list of 12 such sites that I found:
This is definitely just a tip of an iceberg (something that has been posted by webmasters who care to share information about their problems during the last week) and there may be much more such sites.
All these subdomains point to the same IP: 195 .2 .253 .42 (Madet Ltd, Russia). At the same time the main (second level) domains point to absolutely different IPs. Some of them are legitimate websites and some are just parked domains.
The dig command shows that those subdomains are configured as A records in domains’ DNS settings.
For example, let’s take the parked lighthouseusa.net domain. It’s A record point to GoDaddy’s parking service:
lighthouseusa.net. 3600 IN A 188.8.131.52
but if you dig the ns2.lighthouseusa .net subdomain, you’ll see another A record:
ns2.lighthouseusa.net. 1800 IN A 184.108.40.206
This means that hackers have access to and can modify DNS records of those second level domains.
Apparently, all those second level domains are registered via GoDaddy and use GoDaddy’s name servers.
They belong to different people, but some of them have the same owner (e.g smoothsouthernsoulandblues.com and thesoulfoodcafe.com, or vimoka.net and vimoksha.org). This makes me think that hackers used stolen credentials from GoDaddy accounts.
Most likely the credentials theft was a result of a phishing attack. If you google for GoDaddy phishing you will see a lot of messages about emails “from GoDaddy” that ask you to change/update some records and point to phishing pages that look exactly like GoDaddy.com.
Alternatively, hackers could use malware (keyloggers or browser add-ons) that steal credentials when people log into their GoDaddy accounts from infected computers.
It is clear that hackers have figured out that subdomains of legitimate websites is an almost infinite source of free domain names for their attack sites. With access to DNS settings, they can create arbitrary sub-domains that point to their own servers. Such subdomains can hardly be noticed by domain owners who rarely check their DNS records after the initial domain configuration. And they cost nothing to hackers.
I wonder if using hijacked subdomains of legitimate websites is a new trend in malware distribution or just a temporarily solution that won’t be widely adopted by cybercriminals in the long run(like dynamic DNS domains last September).
At this point, domain owners should be aware of this problem and be serious about protecting their account credentials.
Don’t trust emails that ask you to change/confirm account information. Always double check that they are genuine and lead to genuine websites. Also make sure that your computers are malware free.
To be on the safe side, check DNS settings of your domains for rogue records and change your account password.
What do you think about serving malware from hijacked subdomains of legitimated websites? Is this approach viable? Do you know any other attacks that involve hacked DNS records? Maybe you have details about this particular attack?
Your comments are welcome.