Menu
Hackers try to hijack Facebook, other high profile domains through domain registrar

Hackers try to hijack Facebook, other high profile domains through domain registrar

Some registration information for facebook.com was changed, but the domain was not redirected to an unauthorized server

The Syrian Electronic Army (SEA), a group of hackers who have made a habit of hijacking high-profile domain names, managed to change the domain registration information for Facebook.com, but failed to redirect the domain to a different server.

The hackers posted screen shots Thursday on Twitter from what appeared to be the administration panel of a San Francisco-based company called MarkMonitor that manages domain names on behalf of large enterprises. The company's services focus on online brand protection and anticounterfeiting.

MarkMonitor's domain management service "ensures domains are safe with a 'hardened' portal and a full suite of premium security solutions, including advanced security measures at the registrar level -- and, security services to lock domains down to the registry level," the company's website says.

It seems that SEA targeted MarkMonitor in order to attack Facebook in particular as the company celebrated its 10th anniversary Tuesday. The group used the MarkMonitor control panel to modify the WHOIS information for facebook.com, changing the domain's contact address to Damscus, Syria.

The hackers failed to modify the domain's DNS (domain name system) settings and point the website to a server under their control, as they did in the past with the domain names of other companies. That's because facebook.com has a registry lock in place, a feature that requires additional human-based verification at the registry level for making changes to a domain name. The registry for the .com TLD zone is VeriSign.

It's not clear how SEA obtained access to the MarkMonitor control panel, but from other screen shots published by the hackers, the panel also gave them access to the domain names of Amazon, Google, Yahoo and many other well-known companies from different industries.

Domain whois queries for amazon.com, google.com and yahoo.com all show MarkMonitor as the registrar, but like facebook.com, all of those domain name have the "clientUpdateProhibited" flag which indicates the presence of a registry lock. This means SEA wouldn't have been able to hijack those domain names either.

MarkMonitor, which is owned by Thomson Reuters, did not immediately respond to an inquiry seeking more information about the attack.

Facebook declined to comment, but its domain's whois information was quickly corrected following the incident.

SEA's modus operandi involves launching spear phishing attacks against employees of the companies they target in order to obtain sensitive credentials. Spear phishing is a targeted form of phishing, which involves tricking people into divulging their login information or installing malicious software.

In August the hacker group used phishing to compromise a reseller account at an Australian domain registrar and IT services company called Melbourne IT. The hackers used the account to change the name server records for several domains including nytimes.com, sharethis.com, huffingtonpost.co.uk, twitter.co.uk and twimg.com.

Last month they managed to post rogue messages on the official Microsoft and Office blog sites after first gaining access to the email accounts of some of the company's employees.

SEA normally hijacks domain names in order to deface the websites they target and display pro-Syria messages to their visitors, as group publicly supports Syrian President Bashar al-Assad and his government. However, this kind of attack can also be used for more nefarious purposes. Instead of political messages, attackers could display a phishing page to steal user credentials or serve exploits to infect computers with malware.

Security experts repeatedly advised companies to protect their domain names by putting registry locks in place for them. VeriSign offers this service for domain names in the .com, .net, .tv, .cc and .name TLD zones.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags amazonVeriSignonline safetyThomson ReuterssecurityMarkMonitorAccess control and authenticationFacebookintrusionYahooGoogle

Featured

Slideshows

Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow Electronics introduced Tenable Network Security to local resellers in Sydney last week, officially launching the distributor's latest security partnership across Australia and New Zealand. Representing the first direct distribution agreement locally for Tenable specifically, the deal sees Arrow deliver security solutions directly to mid-market and enterprise channel partners on both sides of the Tasman.

Arrow exclusively introduces Tenable Network Security to A/NZ channel
Examining the changing job scene in the Kiwi channel

Examining the changing job scene in the Kiwi channel

Typically, the New Year brings new opportunities for personnel within the Kiwi channel. 2017 started no differently, with a host of appointments, departures and reshuffles across vendor, distributor and reseller businesses. As a result, the job scene across New Zealand has changed - here’s a run down of who is working where in the year ahead…

Examining the changing job scene in the Kiwi channel
​What are the top 10 tech trends for New Zealand in 2017?

​What are the top 10 tech trends for New Zealand in 2017?

Digital Transformation (DX) has been a critical topic for business over the last few years and IDC is now predicting a step change as DX reaches macroeconomic levels. By 2020 a DX economy will emerge and it will become the core of what New Zealand industries focus on. From the board level through to the C-Suite, Kiwi organisations must be prepared to think and act digital when the DX economy emerges in 2017.

​What are the top 10 tech trends for New Zealand in 2017?
Show Comments