Cybercriminals Hack DNS Records of Go Daddy Sites to Distribute Ransomware

The hackers are most likely using compromised credentials to achieve their goal

By on November 23rd, 2012 14:07 GMT

Cybercriminals have found a clever way to distribute pieces of ransomware. They’re hacking the DNS records of websites hosted by Go Daddy in an effort to redirect visitors to their own malicious sites.

The Domain Name System (DNS) allows us to access websites by typing their names instead of their IPs. Without these systems, whenever we would want to access a site we would have to write something like http:// 64.233.160.1/ instead of http://google.com.

According to researchers from security firm Sophos, crooks are abusing this system by adding their own IP addresses to the DNS records of websites.

By adding several subdomains with corresponding DNS entries that reference malicious IPs, attackers can evade security filtering and trick users into thinking that they’re on a legitimate site.

In this particular case, the rogue servers to which users are redirected to host an exploit kit called Cool EK, which is similar to the notorious BlackHole.

The exploit kit looks for vulnerabilities in the target system to push the ransomware.

The ransomware itself is not out of the ordinary. It locks up the computer screens of victims and informs them that they must pay a fine to a law enforcement agency (depending on their location) for downloading illegal content.

The crooks use an animated GIF image that mimics the video capture from the victim’s webcam to make everything more legitimate-looking.

Unfortunately, experts haven’t been able to determine if the attackers are utilizing stolen account credentials, because Go Daddy doesn’t allow webmasters to view their historical login activity and they’re not too willing to give up such information. However, this is the most plausible theory.

Website owners who suspect that their sites have been hijacked in such a manner are advised to change their passwords. Furthermore, they can check their DNS configuration to see if any suspicious entries have been added.

Comments