A bomb threat spam campaign that hit North America last month may have been engineered using a flaw in GoDaddy’s domain management process, it was revealed this week.
The campaign saw attackers send out spam emails warning recipients that their places of work would be bombed unless they sent payments in bitcoin. Investigators linked its unknown perpetrator to a separate sextortion attack which falsely claimed to have compromising webcam images of victims and demanded blackmail payments in bitcoin.
Both of these spam campaigns came from domains hosted by Russian hosting company Reg.ru, but anti-spam researcher Ron Guilmette reportedly found that most of the domains used in the bomb threat campaign had been transferred from US hosting giant GoDaddy shortly before the attack began. Ars Technica suggests that the domains were hijacked using an attack technique that first surfaced in 2016.
DNS is short for Domain Name Service, and it’s effectively a phone book for the web. It’s the internet’s way of converting a URL such as www.example.com to the IP address for the computer that hosts its web pages.
Your computer finds a domain’s IP address by querying a name server that stores that information in a text record known as a zone file. Your computer knows what name server to query because the name server addresses are stored in top level domain (TLD) servers dotted around the internet. These TLD servers get the name server addresses from the registrar that originally registered the domain.
Hosting companies that offer managed DNS services update all of this information for you. You tell them which domain you want to control, and they provide the appropriate name server information. The problem is that many managed DNS services allow people to add domains to their accounts without checking to see if those people own the domains first.
Cybersecurity researcher Matthew Bryant first discovered this flaw in the domain setup process for hosting company Digital Ocean in 2016 before realising that it was a much wider problem affecting companies ranging from Amazon to Rackspace.
The problem occurs when the zone file for a domain disappears but the domain’s owner doesn’t update the name server information held by the registrar. This can happen because the domain’s owner doesn’t want to host a web site at the domain anymore, or because payments for the domain hosting lapse. Occasionally, as was the case with the hijacked domain virtualfirefox.com, the owner gains legitimate ownership of the domain to avoid someone cybersquatting it but doesn’t need to host anything at that domain.
This leaves a name server with no zone file, meaning that an attacker can populate it with their own. They can register a free account with the managed DNS/hosting company and ask for that domain to be included in their account. That lets them transfer the domain to their own hosting provider. As Bryant found, many managed DNS companies honour that request without first checking to see if someone else owns the domain.
This is a great attack vector for spammers, explained Bryant in his 2016 post, because it gives them legitimacy. Anti-spam software will often block mail from newly-registered domains or from domains with bad reputations, which makes it hard for spammers to deliver their mail. Using this attack, they can use email servers registered to the hijacked domains to send spam emails that originate from their own servers. The domains that they hijack will often have been registered for a long time and have good reputations, which makes it far more likely that their spam mail will get through.
Bryant said:
If an attacker launches a malware campaign using these domains, it will be harder to pinpoint who/what is carrying out the attack since the domains would all appear to be just regular domains with no observable pattern other than the fact that they all use cloud DNS. It’s an attacker’s dream, troublesome attribution and an endless number of names to use for malicious campaigns.
This is what appears to have happened with the bomb threat spam sent last month, and with the sextortion campaign mentioned earlier. Guilmette’s research reportedly found that overall, GoDaddy left more than half a million domains vulnerable to hijacking.
The attackers appear to have cherrypicked sites owned by household names including Expedia, Mozilla and Yelp.
GoDaddy told Naked Security that it was fixing the problem associated with the hijacked domain names:
We have indeed made the fix to prevent malicious use of our DNS zone entries. Due to the sensitive nature of security, we are not disclosing exactly how we fixed it. Additionally, we are currently removing the domains names mentioned by the security researcher.
To prevent their sites being hijacked this way, though, the safest bet for domain owners is to ensure that they update their name server information when removing a zone file so that attackers can’t take control of their domain.