Domain name registrar-Web site hosting provider Go Daddy is responding to a DNS attack targeting a "small number" of its hosted websites that one security firm said is enabling cybercriminals to spread ransomware.
The legitimate hostname resolves to the legitimate IP address, but the added sub-domains resolve to rogue servers.Fraser Howard, principal virus researcher, SophosLabs
The attack targets the DNS records of sites, adding a subdomain leading to malicious IP addresses. It was detected recently by UK-based security vendor Sophos.
"This enables the attackers to use legitimate-looking URLs in their attacks, which can help to evade security filtering and trick users into thinking the content must be safe," wrote Fraser Howard, a principal virus researcher at SophosLabs. "The legitimate hostname resolves to the legitimate IP address, but the added sub-domains resolve to rogue servers."
Experts say the hack does not appear very sophisticated. The attacker is using stolen credentials to gain access to the victim's Go Daddy account management console where the DNS settings can be made.Â
The attack is one of a number of common techniques used to dupe people into believing they are on a legitimate site. DNS attacks are common and have been used for years, targeting a variety of configuration weaknesses and protocol errors. The most publicized attack is a DNS Cache Poisoning, a technique that corrupts the Internet server's domain name system table by replacing an Internet address with that of another, rogue address.
Go Daddy: Issue is not a vulnerability
Go Daddy has not responded to a SearchSecurity.com request for comment. The hosting provider indicated to Sophos that it is aware of the issue affecting a "small number of accounts." The company is removing the malicious DNS entries from targeted sites and resetting customer passwords. The company said its users can reduce the risk of being targeted by this kind of attack by enabling two-factor authentication. Go Daddy's two-step verification sends a validation code via a text message when trying to log into a hosting account.
"We have been identifying affected customers and reversing the malicious entries as we find them," Go Daddy said.
Go Daddy's incident response team suspects that the source of the attack could be the Cool Exploit Kit, an automated attack toolkit which is responsible for spreading ransomware. It's likely that the affected customers have had their credentials phished or their home machines infected by malware spread by the toolkit, Go Daddy said.
Sophos' Howard said the ransomware appears to be catered to the victim's specific location. Users receive a phony message purportedly from the FBI that the computer's IP address is linked to child pornography. The computer is locked until a ransom is paid.
The Cool Exploit Kit targets a variety of vulnerabilities, including Java errors, and has been seen spreading via drive-by attack websites "The rogue servers are running an exploit kit calling itself 'Cool EK'," Howard wrote. "The Russian origin of the kit is evident from the login page for the admin panel."
Â
