Hosting provider LeaseWeb falls victim to DNS hijacking

The company believes attackers obtained domain administrator credentials and used them to change the domain's DNS records at the registrar

Attackers modified the DNS records for leaseweb.com

Attackers modified the DNS records for leaseweb.com

Hosting provider LeaseWeb became the latest high-profile company to have its domain name taken over by attackers, highlighting that DNS (Domain Name System) hijacking is a significant threat, even to technically adept businesses.

For a short time on Saturday, leaseweb.com, the company's main website, was redirected to an IP address that wasn't under its control. This was the result of a so-called DNS hijacking attack in which attackers managed to change the authorized name servers for the company's domain name.

Due to the way DNS records get propagated through Internet servers and the fact that some DNS resolvers cache the records for a longer time than others, not all users were affected by the incident.

However, those users who were impacted and attempted to visit the company's website were redirected to a Web page crediting a hacker group called KDMS Team for the attack.

The rogue page contained messages from the hackers, including "what are you is a hosting company with no security" and "we owned all of your hosted sites."

"Our security investigation so far shows that no domains other than leaseweb.com were accessed and changed," LeaseWeb said in a blog post Sunday after resolving the issue. "No internal systems were compromised. One of the security measures we have in place is to store customer data separately from any publicly accessible servers; we have no indication that customer data was compromised as a result of this DNS hijack."

LeaseWeb is a large provider of public cloud, private cloud, dedicated hosting, colocation and content delivery services with subsidiaries in the U.S., Germany and the Netherlands. It has over 15,000 customers that range from small businesses to large enterprises and claims to manage almost 4 percent of global IP traffic.

LeaseWeb is still investigating how attackers managed to change the DNS records for its domain name, but it appears that they gained access to the domain administrator password at the domain registrar from which LeaseWeb bought its domain.

Spear phishing might have been a part of the attack, but at this point the investigation is ongoing so there's no definitive answer, Alex de Joode, senior legal counsel of LeaseWeb, said Monday via email.

Because of this attack, emails sent to @leaseweb.com addresses while the rogue DNS records were in place did not reach the company's email server. The rogue Web server where the domain was pointed by the attackers did not have email service configured, so no email messages were compromised, de Joode said.

There's also no indication the rogue Web page served malware or was used to steal credentials, he said.

There has been some speculation that attackers might have exploited a recently disclosed vulnerability in the WHMCS billing and support software to pull off the attack. This software is particularly popular with Web hosting companies.

LeaseWeb itself doesn't use WHMCS, but the company doesn't know if the software is used by its domain registrar, de Joode said.

"We took immediate measures to prevent a repeat of this incident in the short term," he said. "We will also update our security policies for domains based on the results of the current investigation."

Defacing websites by hijacking the DNS records for their domain names in order to redirect them to rogue Web servers is a popular technique among hackers. Attackers usually gain access the domain administrator panel by phishing the log-in credentials from an authorized user or by tricking domain registrar employees to reset the password for the targeted account.

In August, a hacker group called the Syrian Electronic Army (SEA) used spear phishing to temporarily hijack the nytimes.com, sharethis.com, huffingtonpost.co.uk, twitter.co.uk and twimg.com domain names. SEA publicly supports Syrian President Bashar al-Assad and his government and most of their attacks are a political statement.

LeaseWeb doesn't currently know why it was targeted by Team KDMS, de Joode said.

DNS hijacking can have much more serious consequences than a websites being defaced. Attackers could use this technique to direct users to a phishing version of the website in order to steal their credentials or they could use exploit kits to infect visitors to the rogue Web server with malware.

To prevent rogue modification of DNS records domain owners can ask their registrars to put registry locks in place for their domains. This lock is placed at the registry level -- with those companies that administer the .com, .net, .org, and other domain extensions -- and makes the modification of DNS records, even when a domain registrar is compromised, much harder.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags online safetyintrusionAccess control and authenticationLeaseWeb

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?