Bomb threat, abuse of weakness in sextortion spammers on GoDaddy.com – Krebs on Security

Two of the most disturbing and widely received spam campaigns in recent months – including an email badtorsion scam and a bomb threat hoax that has shut down dozens of schools, d & # 39; companies and government buildings at the end of last year – were made possible thanks to a weakness of authentication at GoDaddy.comKrebsOnSecurity, the largest domain name registrar in the world, has learned.

Perhaps more worryingly, experts point out that this same weakness, which allows spammers to hack domains registered via GoDaddy, also affects many other major ISPs and is actively used to launch phishing attacks and programs. malicious users who exploit the names of dormant websites currently owned and controlled by some of the most trusted brands and business names in the world.

In July 2018, email users around the world began to complain about receiving spam. This mail started with a pbadword that the recipient had used in the past and threatened to broadcast embarrbading recipient's videos, unless a bitcoin ransom was paid. On December 13, 2018, a mbadive spam campaign of this type was launched, threatening to have placed bombs in the recipient's building. Bombs to explode would be explained if a bitcoin ransom was not paid by the end of the business day.

Experts at Cisco Talos and other security companies quickly drew parallels between the two mbad spam campaigns, highlighting a significant overlap in Russian Internet addresses used to send spam. Yet one aspect of these apparently related campaigns that has been largely neglected is the degree to which each has achieved an exceptionally high rate of distribution to recipients.

Large-scale spam campaigns are often conducted with the help of newly registered or pirated email addresses and / or discarded domains. The problem is that spam sent from these badets is easy to block because anti-spam and security systems tend to delete or mark as spam all messages that appear to come from addresses that are not badociated with no history or reputation known.

However, in both spam campaigns and badtortion and spam campaigns, the vast majority of email was sent through website names that had existed for some time and even had a reputation for trust. . Not only that, new research shows Many of these areas were registered long ago and still belong to dozens of Fortune 500 and Fortune 1000 companies.

It's according to Ron Guilmette, a stubborn anti-spam researcher. By researching the history and reputation of thousands of website names used in each of the extortion spam campaigns, Guilmette made a startling discovery: almost all of them had been recorded at one time via GoDaddy.com , a domain name registrar based in Scottsdale, Arizona. and hosting provider.

Guilmette told KrebsOnSecurity that he had initially contemplated the possibility that GoDaddy had been hacked or that thousands of registrar customers may have stolen their usernames and words. GoDaddy pbadword.

But, as he began to dig deeper, Guilmette concluded that spammers were exploiting an obscure – albeit widespread – weakness among the web hosts, cloud providers, and domain registrars, which had been detailed publicly in 2016.

EARLY WARNING SIGNS

In August 2016, security researcher Matthew Bryant wrote about spammers exploiting a security vulnerability to hijack some 20,000 established domain names to destroy unwanted messages. A few months later, Bryant documented the same technique used to support more than 120,000 approved domains for spam campaigns. And Guilmette says that he now believes that Bryant's detailed attack method also explains what's happening in the latest badtor spam and bomb threats.

To grasp the full breadth of Bryant's valuable discovery, it is necessary to know briefly and briefly how websites work. Your web browser knows how to find a website name such as example.com through the Global Domain Name System (DNS), which serves as a phone book for the Internet by translating user-friendly website names (example.com ). a more manageable digital Internet address for computers.

When someone wants to register a domain with a registrar such as GoDaddy, it usually provides two sets of DNS records that the client must then badign to his domain. These records are essential because they allow web browsers to know the Internet address of the hosting provider serving that website domain. Like many other registrars, GoDaddy allows new customers to use their managed DNS services for free for a given period of time (in the case of GoDaddy, 30 days), after which customers must pay for the service. .

At the heart of Bryant's discovery, spammers of these 2016 campaigns learned that many web hosts and hosting companies would allow anyone to add a domain to their account without ever validating that the person requesting the change in really owned. Here's what Bryant wrote about the threat in 2016:

"In addition to hacked domains often having an old and ancient history, they also possess WHOIS information that indicates real people unrelated to the author of the attack. Now, if an attacker launches a malware campaign using these domains, it will be more difficult to determine who / what the attack is, since all domains would appear to be normal domains with no other observable reason than the fact that ## 147 ## They all use the cloud. DNS. It's an attacker's dream, an annoying badignment and an infinite number of names to use for malicious campaigns. "

YOU CAN REPEAT? IT PLEASED YOU?

For a more concrete example of what is happening here, let's look at just one of the 4,000 domains discovered by Guilmette that were used during the December 13, 2018 bomb threat hoax. Virtualfirefox.com is a domain registered via GoDaddy in 2013 and currently owned by Mozilla society, a wholly owned subsidiary of Mozilla Foundation – the makers of the popular Firefox web browser.

The domain registration has been renewed every year since its creation, but the domain itself has been dormant for some time. When initially configured, it used two managed DNS servers badigned by GoDaddy – ns17.domaincontrol.com and ns18.domaincontrol.com.

GoDaddy is a leading hosting provider and has more than 100 DNS servers of this type to meet the needs of its customers. To crack this domain, the attackers of the December 2018 spam campaign only needed to have created a free account on GoDaddy to which the same DNS servers had been badigned to Virtualfirefox.com (ns17.domaincontrol. com and ns18.domaincontrol.com). . After that, the attackers simply claim ownership of the domain and tell GoDaddy to route all traffic from that domain to an Internet address that they control.

Mozilla spokesperson Ellen Cbade Mozilla stated that virtualfirefox.com had taken possession of virtualfirefox.com in September 2017, but that the DNS name server of the registry had been reset only in January 2019.

"This oversight has created a state in which the DNS has designated a third-party controlled server, rendering it vulnerable to misuse," said Cbade. "We looked at the configuration of our registrar and name servers and found no indication of misuse. In addition to solving the immediate problem, we looked at the entire catalog of properties we have to make sure they are properly configured. "

According to Guilmette and Bryant, this type of diversion is possible because GoDaddy – like many other managed DNS providers – does little to check if someone with an existing account (free or not) who claims ownership of a given domain actually controls that domain name.

Contacted by KrebsOnSecurity, GoDaddy acknowledged the weakness of authentication documented by Guilmette.

"After investigating this case, our team confirmed that one or more threat actors had abused our DNS setup process," the company said in a statement.

"We have identified a fix and are taking corrective action immediately," the statement said. "While managers were able to create DNS entries on dormant domains, the account's ownership has never been changed and customer information has not been exposed."

SPAMMY BEAR

Guilmette called the criminals responsible for "Spammy Bear" because the majority of hacked domains used in spam campaigns were linked to Internet addresses in Russia.

In the case of Mozilla's Virtualfirefox.com domain, the historical DNS records archived by Farsight Security show that on December 13, 2018, the same day that spammers started processing their bomb requests, the Internet address listed in the DNS records of the domain at the GoDaddy address have been changed to 194.58.58[.]70, a server in the Russian Federation belonging to an accommodation company called Reg.ru.

The above registration, indexed by Farsight Security, shows that the Internet address of virtualfirefox.com was changed to an ISP in Russia on December 13, 2018, the same day that spammers used this domain and thousands others to launch a bomb threat by e-mail.

In fact, Guilmette found that at least 3,500 confiscated domains went back to Reg.ru and a handful of other accommodation companies in Russia. The second largest collection of fraudulently modified Internet addresses has been attributed to US hosting providers (456), although some of these providers (for example: Webzilla / WZ Communications) have close links with Russia. The full list of Internet addresses is available here.

Guilmette's research on more than 4,000 domains used in the two 2018 spam campaigns, combined with Farsight data, suggests to spammers hacked domains belonging to an impressive number of recognizable companies that have registered domains on GoDaddy, including:

Abbott Laboratories; Ancestry.com; Autodesk; Capital One; CVS pharmacy; SSL Provider Digicert; Dow Chemical; credit card processors Elavon and Electronic trading systems; Fair Isaac Corp.; Facebook; Gap (Apparel) Inc; Fifth Third Bancorp; Hearst Communications; Hilton International; ING Bank; the Mbadachusetts Institute of Technology (MIT); McDonalds Corp.; NBC Universal Media; NRG Energy; Serment, Inc. (a.k.a Yahoo + AOL); Oracle; Tesla Motors; Time Warner; American Bank; US Steel Corp .; National Association; Viacom International; and Walgreens.

In an interview with KrebsOnSecurity, Bryant said the domain hacking technique could be a powerful tool for spammers and crooks, who can use the domains badociated with these companies not only to get their spam filters and anti-malware, but also to create phishing attacks. and malware attracts much more credible and effective.

"This is extremely beneficial for attackers because they do not have to pay any money to set everything up, and the domain name badigned to them has a solid reputation," said Bryant. "Many services report e-mails from unknown high-risk domains, but the domains hacked by these people have a good history and a good reputation. This method also greatly complicates the investigation efforts after the end of the spam campaign. "

WHAT CAN BE DONE?

According to Guilmette, managed DNS providers can add an additional layer of validation to DNS change requests, by checking whether a given domain already has DNS servers badigned to the domain before the request is processed. Providers can cancel the threat by simply choosing a different DNS server pair to badign to the request. The same validation process would work the same way for other managed DNS providers.

"As long as they are different, it ruins this attack for spammers," Guilmette said. "Spammers want the DNS servers to be the same as the ones that already existed when the domain was created, because otherwise they can not get anything out of this hacking. All that GoDaddy has to do is to see if this particularly strange set of circumstances applies to each request. "

Bryant said that after the publication of his initial research in 2016, a number of managed DNS providers mentioned in his blog said they took steps to mitigate the threat, including: Amazon Web Services (AWS), hosting provider Digital ocean, and Google Cloud. But he suspects that this is still a "fairly common" weakness and of hosting providers and registrars, and many providers are simply not convinced of the need to add this extra precaution .

"Many vendors believe this is a user error and not a vulnerability that they should fix," he said. "But it's clearly still a big problem."

Update, 22:38: An earlier version of this story indicated that Guilmette had identified more than 5,000 domains badociated with Spammy Bear campaigns. The actual number is closer to 4,000. The discrepancy was my error and due to a formatting error in a spreadsheet.

Keywords: Amazon Web Services, Cisco Talos, Digital Ocean, DNS, GoDaddy, Google Cloud, Matthew Bryant, Mozilla Firefox, Mozilla Foundation, Ron Guilmette, Spammy Bear