About a month ago I wrote about a hacker attack that used hijacked subdomains of legitimate websites to serve malware (fake anti-virus software) off of them. Most likely cyber criminals used a phishing attack to steal credentials of GoDaddy’s domain management control panel and created rogue DNS records for some subdomains to make them point to hacker-controlled servers.
In that article I wondered if that was a new trend (usage of virtually free hijacked subdomains) or just temporary approach that wouldn’t be used anywhere else. Well, this week I came across a different malware attack that also uses hijacked subdomains of legitimate websites.
The attack itself is nothing new. It uses stolen FTP credentials to inject malicious scripts into legitimate web pages. The injected scripts look like this:
I checked many infected sites and noticed that the injected scripts always used the same 5 subdomains and changed the file name part of the script from site to site. They always used Internet/computer related file names, e.g.: YouTube.js, Virtual_Reality.js, Backup.js, Unfriend.js, Keystroke.js, Access.js, Technology_Services.js, Page_View.js, Gigahertz.js, Telnet.js, Data_Type.js, Paste.js, Gnutella.js, Website.js, etc.
The 5 subdomains are (there may be more but I only seen these five):
Update: You can find many more hijacked subdomains in comments.
Each of them points to different IPs on different networks. And none of the IPs matches the IP (or even network) of their second-level domains.
All the second-level domains have been registered and now managed via GoDaddy. Some of them point to real legitimate websites and others are just parked domains.
It’s clear that hackers somehow gained access to those domains’ DNS management panel and created rogue DNS records for subdomains that legitimate domain owners cannot even imagine exist.
oployau.fancountblogger.com. 937 IN A 220.127.116.11
sorydory.russellhowe.com. 3530 IN A 18.104.22.168
aospfpgy.dogplaystation.com. 2792 IN A 22.214.171.124
kollinsoy.skyefenton.com. 399 IN A 126.96.36.199
temp.hbsouthmomsclub.com. 1116 IN A 188.8.131.52
This is the second attack in a short time that uses this approach to get free domain names to use in malware distribution. I guess, it is still to early to call this a trend, but it’s definitely something that we should keep an eye on.
When was the last time you checked DNS records of your domains? Are you sure there are no rogue subdomains that criminals use behind your back? Probably it’s time to check your domain settings now. But don’t forget about phishing attacks – make sure you are logging into a genuine site of your registrar. (Check GoDaddy’s security tips)
If you found one of the above scripts in your web pages (you can use Unmask Parasites to detect them) do the following:
Do you know any other malware attacks that use hijacked subdomains of legitimate websites? Can we call this a new trend?