What's In A Name?
"What's in a name? That which we call a rose
By any other name would smell as sweet." – Juliet, Romeo and Juliet (II, ii, 1-2)
"A good name is more desirable than great riches; to be esteemed is better than silver or gold." – Proverbs 22:1 (NIV)
A rose is a rose is a rose
What if I could hack your organization and abuse your company’s reputation – and what if I could do it without your firewall, IDS, IPS, or your host-based badware detection making a peep?
What if I could use your organization’s good name to sell ED drugs, questionable Facebook "apps," shady online "personal ads," or to distribute porn that would make a sailor blush?
What if I did all of that, and you didn’t know? What if the hack itself took place on a machine you didn’t directly control and only accessed rarely? And what if the hack was so subtle, so obscure, and so difficult to find that once I had it in place, it might be years before you ever stumbled across it – if you ever stumbled across it?
This nightmare scenario is, unfortunately, reality for at least 50 organizations – ones that I’ve been able to uncover – and I'm certain that there are many, many more. Each of these organizations has been a victim of a malicious alteration of their domain information – an alteration that added new machine names to their existing information, and allowed bottom-feeding scam artists to abuse their good reputation to boost the search-engine profile of their drug, app, "personal ad," or porn sites.
Take a look at the following table:
These sites... | Resolve To | While the main site... | Resolves To |
---|---|---|---|
buy-viagra.4kidsnus.com | 67.55.117.204 | www.4kidsnus.com | 50.73.38.13 |
drugs-1501.abingtonurology.com | 67.55.117.204 | www.abingtonurology.com | 74.208.98.50 |
personals-1501.abingtonurology.com | |||
tubes-1501.abingtonurology.com | |||
payday-loans.accessbank.com | 74.220.215.210 | www.accessbank.com | 66.147.240.154 |
cialis.advancedsynthesis.com | 74.50.13.17 | www.advancedsynthesis.com | 216.227.216.47 |
viagra.advancedsynthesis.com | |||
cialis.apptech.com | 66.96.147.107 | www.apptech.com | 66.96.147.107 |
loans.apptech.com | |||
viagra.apptech.com | 66.96.147.106 | ||
buy-cialis.asfiusa.com | 67.55.33.109 | www.asfiusa.com | 74.220.215.84 |
buy-viagra.asfiusa.com | |||
mg-drugs.asfiusa.com | |||
payday-loans.asfiusa.com | |||
rx-drugs.asfiusa.com | |||
facebook.blueagle.com | 74.50.13.17 | www.blueagle.com | 209.200.244.56 |
buy-cialis.boothscorner.com | 67.55.117.204 | www.boothscorner.com | 74.208.98.50 |
buy-viagra.boothscorner.com | |||
24-buy-cialis.campsankanac.org | 67.55.33.109 | www.campsankanac.org | 74.208.98.50 |
24-personals.campsankanac.org | |||
buy-cialis.campsankanac.org | |||
buy-viagra.campsankanac.org | |||
viagra.cccsaa.org | 74.50.13.17 | www.cccsaa.org | 216.227.214.82 |
buy-cialis.cfi.gov.ar | 67.55.117.204 | www.cfi.gov.ar | 201.234.37.147 |
buy-viagra.cfi.gov.ar | |||
mg-drugs.chesarda.org | 65.254.250.103 | www.chesarda.org | 65.254.250.109 |
viagra.cranehighschool.org | 74.50.13.17 | www.cranehighschool.org | 216.227.220.85 |
buy-cialis.dollardiscount.com | 67.55.117.204 | www.dollardiscount.com | 74.208.98.50 |
buy-viagra.dollardiscount.com | |||
buy-cialis.eap.edu | 74.220.215.210 | www.eap.edu | 66.147.240.167 |
buy-viagra.eap.edu | |||
mgdrugs.eap.edu | |||
payday-loans.eap.edu | |||
rxdrugs.eap.edu | |||
buy-cialis.ejercito.mil.do | 74.220.215.210 | www.ejercito.mil.do | 74.220.215.113 |
buy-viagra.ejercito.mil.do | |||
mgdrugs.ejercito.mil.do | |||
payday-loans.ejercito.mil.do | |||
rxdrugs.ejercito.mil.do | |||
buy-cialis.elbertcounty-co.gov | 74.220.215.210 | www.elbertcounty-co.gov | 74.220.207.155 |
buy-viagra.elbertcounty-co.gov | |||
drugs.elbertcounty-co.gov | |||
cheap-viagra.ellerbecreek.org | 66.96.147.106 | www.ellerbecreek.org | 66.96.147.106 |
cialis-price.ellerbecreek.org | |||
payday-loans.ellerbecreek.org | |||
cialis-buy.esad.org | 69.73.170.8 | www.esad.org | 69.73.185.194 |
payday-loan.esad.org | |||
player.esad.org | |||
translator.esad.org | |||
buy-cialis.fabius-ny.gov | 173.236.60.138 | www.fabius-ny.gov | 173.236.47.26 |
buy-viagra.fabius-ny.gov | |||
payday-loans.fabius-ny.gov | |||
personals.fabius-ny.gov | |||
1-facebook.fwbl.com | 173.236.60.138 | www.fwbl.com | 65.60.41.210 |
1-games.fwbl.com | |||
1-payday-loans.fwbl.com | |||
1translator.fwbl.com | |||
payday-loans.fwbl.com | |||
payday-loans.fwbl.com | |||
translator2.fwbl.com | |||
facebook-i.georgetownky.gov | 69.73.170.8 | www.georgetownky.gov | 69.73.136.24 |
payday.georgetownky.gov | |||
personals-d.georgetownky.gov | |||
viagra-buy.georgetownky.gov | |||
rx-drugs.golocalnet.com | 65.254.250.103 | www.golocalnet.com | 65.254.250.105 |
mg-drugs.goodhope.com | 66.96.147.106 | www.goodhope.com | 66.96.147.115 |
buy-cialis.hamwave.com | 74.50.13.17 | www.hamwave.com | 209.200.245.66 |
buy-viagra.hamwave.com | |||
payday.hamwave.com | |||
buy-cialis.haskell.edu | 74.220.215.210 | www.haskell.edu | 74.220.207.138 |
buy-viagra.haskell.edu | |||
drugs-coog.haskell.edu | |||
drugs.haskell.edu | |||
cialis.hiwassee.edu | 65.254.250.103 | www.hiwassee.edu | 65.254.250.110 |
drugs.hiwassee.edu | |||
payday-loans.hiwassee.edu | |||
buy-viagra.hothouse.net | 66.96.147.106 | www.hothouse.net | 66.96.147.106 |
buy-cialis.iiehk.org | 67.55.117.204 | www.iiehk.org | 58.177.188.240 |
buy-viagra.iiehk.org | |||
buy-viagra.karen.org | 65.254.250.103 | www.karen.org | 65.254.250.109 |
facebook.lisboniowa.com | 65.254.250.103 | www.lisboniowa.com | 65.254.250.114 |
payday-loans.lisboniowa.com | |||
viagra.lisboniowa.com | |||
cialis.medpharmsales.com | 74.50.13.17 | www.medpharmsales.com | 216.227.214.82 |
buy-cialis.menalive.com | 69.73.170.8 | www.menalive.com | 69.73.138.10 |
buy-viagra.menalive.com | |||
drugs.menalive.com | |||
facebook.menalive.com | |||
payday-loans.menalive.com | |||
buy-viagra.mvas.org | 74.220.215.210 | www.mvas.org | 74.220.215.73 |
payday-loans.mvas.org | |||
buy-cialis.nywolf.org | 96.30.42.100 | www.nywolf.org | 96.30.42.100 |
buy-viagra.nywolf.org | |||
payday-loans.nywolf.org | |||
buy-cialis.okgolf.org | 65.254.250.103 | www.okgolf.org | 65.254.250.101 |
loans.omill.org | 69.73.170.8 | www.omill.org | 69.73.139.41 |
mg-drugs.omill.org | |||
personals.omill.org | |||
rx-drugs.omill.org | |||
cialis.onyvax.com | 173.236.60.138 | www.onyvax.com | 216.104.37.106 |
loans.onyvax.com | |||
viagra.onyvax.com | |||
drugs-1501.pattywagstaff.com | 67.55.117.204 | www.pattywagstaff.com | 76.202.66.30 |
personals-1501.pattywagstaff.com | |||
tubes-1501.pattywagstaff.com | |||
1-payday-loans.qunlimited.com | 173.236.60.138 | www.qunlimited.com | 173.236.37.194 |
1facebook.qunlimited.com | |||
1-facebook.rivcoems.org | 173.236.60.138 | www.rivcoems.org | 69.175.91.58 |
1-payday-loans.rivcoems.org | |||
1player.rivcoems.org | |||
buy-cialis.sacmetrofire.ca.gov | 74.220.215.210 | www.sacmetrofire.ca.gov | 66.147.240.176 |
buy-viagra.sacmetrofire.ca.gov | |||
drugs.sacmetrofire.ca.gov | |||
mgdrugs.sacmetrofire.ca.gov | |||
rxdrugs.sacmetrofire.ca.gov | |||
buy-cialis.santafeproductions.com | 74.50.13.17 | www.santafeproductions.com | 209.200.242.240 |
cialis.saturdaymarket.com | 74.50.13.17 | www.saturdaymarket.com | 209.200.245.36 |
viagra.saturdaymarket.com | |||
buy-cialis.seabury.edu | 74.220.215.210 | www.seabury.edu | 66.147.240.183 |
buy-viagra.seabury.edu | |||
drugs.seabury.edu | |||
buy-cialis.symspray.com | 66.96.147.106 | www.symspray.com | 66.96.147.103 |
buy-cymbalta.tcsys.com | 67.55.117.204 | www.tcsys.com | 99.20.97.250 |
buy-lexapro.tcsys.com | |||
buy-viagra.tcsys.com | |||
divx-player.tcsys.com | |||
facebook.tcsys.com | |||
flv-player.tcsys.com | |||
personals-2702.tcsys.com | |||
player.tcsys.com | |||
translator.tcsys.com | |||
tubes-2702.tcsys.com | |||
buy-viagra.ubf.org | 74.220.215.210 | www.ubf.org | 74.220.201.220 |
mg-drugs.ubf.org | |||
payday-loans.ubf.org | |||
rx-drugs.ubf.org | |||
drugs-1801.uhsurology.com | 67.55.117.204 | www.uhsurology.com | 64.57.219.72 |
personals-1801.uhsurology.com | |||
tubes-1801.uhsurology.com | |||
buy-cialis.uniben.edu | 74.220.215.210 | www.uniben.edu | 69.195.82.57 |
buy-viagra.uniben.edu | |||
mg-drugs.uniben.edu | |||
mgdrugs.uniben.edu | |||
payday-loans.uniben.edu | |||
payday.uniben.edu | |||
rx-drugs.uniben.edu | |||
rxdrugs.uniben.edu | |||
buy-cialis.viethoc.org | 67.55.117.204 | www.viethoc.org | 208.127.15.120 |
buy-cymbalta.viethoc.org | |||
buy-levitra.viethoc.org | |||
buy-lexapro.viethoc.org | |||
buy-viagra.viethoc.org | |||
divx-player-beob.viethoc.org | |||
flv-player-beob.viethoc.org | |||
personals-0602.viethoc.org | |||
player-beob.viethoc.org | |||
drugs.williamson.edu | 65.254.250.103 | www.williamson.edu | 65.254.250.105 |
payday-loans.williamson.edu | |||
viagra.williamson.edu | |||
payday.yanceycountync.gov | 67.55.33.109 | www.yanceycountync.gov | 66.147.242.162 |
tubes-1111.yanceycountync.gov |
Over 150 "new" entries have been created in the zone information for these organizations. Each of these new "sites" inherits whatever good reputation the parent domain may have accumulated, and is, therefore, valuable as a means of search engine optimization (SEO).
The following table shows that these hacks occurred at multiple DNS providers with a few being somewhat more "popular" than others:
Domain | DNS Provider |
---|---|
4kidsnus.com | dnsexit.com |
abingtonurology.com | |
boothscorner.com | |
campsankanac.org | |
cfi.gov.ar | |
dollardiscount.com | |
iiehk.org | |
pattywagstaff.com | |
tcsys.com | |
uhsurology.com | |
viethoc.org | |
yanceycountync.gov | |
ejercito.mil.do | hostmonster.com |
accessbank.com | |
asfiusa.com | |
eap.edu | |
elbertcounty-co.gov | |
haskell.edu | |
mvas.org | |
sacmetrofire.ca.gov | |
seabury.edu | |
ubf.org | |
uniben.edu | |
apptech.com | ipage.com |
ellerbecreek.org | |
goodhope.com | |
hothouse.net | |
symspray.com | |
qunlimited.com | justhost.com |
advancedsynthesis.com | lunariffic.com |
blueagle.com | |
cccsaa.org | |
cranehighschool.org | |
hamwave.com | |
medpharmsales.com | |
santafeproductions.com | |
saturdaymarket.com | |
compliancemedical.com | myhostcenter.com |
menalive.com | nocdirect.com |
esad.org | |
georgetownky.gov | |
omill.org | |
fabius-ny.gov | pipedns.com |
fwbl.com | |
onyvax.com | |
rivcoems.org | |
chesarda.org | powweb.com |
golocalnet.com | |
hiwassee.edu | |
lisboniowa.com | |
okgolf.org | |
williamson.edu | |
nywolf.org | wiredtree.com |
karen.org | yourhostingaccount.com |
Finding these sites was a matter of luck and perseverance. Initially, I happened across a single, odd-sounding site name while looking for organizations that had been compromised by the bad guys for SEO purposes. Using tools that attempt to list all of the domain records pointing to a particular IP address led me to more. Google searches for sites linking to these domains led me further. Unquestionably, there are more of these types of sites out there – some not currently in use. However, because there is no good way to truly search DNS information, attempting to find these from the "outside" is difficult and frustrating.
"Round up the usual suspects..."
How did this happen? Unsurprisingly, no one I talked to about this was standing at the front of the line, ready to take the blame for these issues: Domain owners swear they used good passwords and are sure that the DNS providers were hacked, DNS providers are certain that the Domain owners used lousy passwords on their accounts... 'round and 'round we go.
My gut tells me that the truth lies somewhere in between: bad passwords combined with poor account lockout controls on something like a cPanel-type web interface probably led to successful brute force attacks on most of these... I could, however, be completely wrong. Unfortunately, I just don't have the time to chase every one of these to ground.
Don’t Let This Happen To You
- Check your DNS zone file information periodically, just to make sure nothing has been added without your knowledge.
- Choose passwords wisely, especially on interfaces where brute-force attacks are likely (i.e. pretty much anything accessible from the internet). Never use dictionary words. And remember: while "qwertyuiop" may not be in your dictionary, it IS in mine...
- Periodically take a look at your website how Google sees it (Google search: "site:yoursite.com" – NOT www.yoursite.com, and look through the pages for anything out of the ordinary. Toss a few choice keywords in as well ("Viagra," "Cialis," "drugs," "personals," etc...). This kind of search can help you discover many different types of issues with your site.
Tom Liston
ISC Handler
Senior Security Consultant, InGuardians, Inc.
Twitter: @tliston
Comments
dsh
Oct 12th 2011
1 decade ago
Warren
Oct 12th 2011
1 decade ago
It seems to list a few more domains that aren't posted here.
P
Oct 12th 2011
1 decade ago
Any thoughts on how we can restrict access to these sites, short of blacklisting these domains manually in a blackhole ? DNS blocking is probably out, since it looks like the DNS servers could be hosting valid websites.
rescuehead
Oct 12th 2011
1 decade ago
Erik van Straten
Oct 12th 2011
1 decade ago
Mike O'D.
Oct 12th 2011
1 decade ago
isif
Oct 12th 2011
1 decade ago
These DNS providers were allowing users to create domains that were subdomains of other users domains. Some name server software will serve records for these subdomains if they are on the same name server even if NS records don't exist in the parent domain that delegate the subdomain.
No decent DNS provider would or does allow this.
DMM
Oct 13th 2011
1 decade ago