Attackers have been going after various pieces of the DNS infrastructure for a long time now, and it's not unusual for there to be somewhat organized campaigns that target certain vertical industries or geographic regions. But researchers lately have been seeing an interesting pattern of compromises in which attackers somehow add new names to existing domains and use those sub-domains to piggyback on the good reputation of the sites and push counterfeit goods, pills and other junk. And now they're using the attack to push exploits via the Black Hole Exploit Kit.
The attacks have been ongoing for at least a couple of months and while they're fairly simple in theory, researchers haven't necessarily been able to figure out how the attackers have managed to compromise the domains and get access to the DNS records to add their own sub-domains. What's happened is that attackers have been able to alter the domain records of dozens of existing, legitimate sites, including local government agencies, small businesses, community banks and others and then inserted new sub-domain names into the records.
So the new sub-domains might look something like this: payday-loans.smalltownbank.com. This small bank would likely have a good reputation built up in the various blacklisting and reputation systems out there and the attackers are able to ride on top of that and give themselves more credibility in the search-engine rankings. That means more users will find their domains in search results and potentially land on the sites, winding up on an order page for fake Viagra or shady personal loans instead of whatever they were searching for. The folks at the SANS Internet Storm Center have been looking into the attacks and have identified dozens of domains that have been affected and poisoned with the insertion of a slew of skeevy sub-domains pushing fake pharmaceuticals, loans and other Internet spam staples.
"The problem is only slowly starting to surface in the Google search results, but it is plenty evident in passive DNS loggers like RUS-CERT's: http://www.bfk.de/bfk_dnslogger.html?query=91.196.216.50#result The domains affected have been abused for the past several days to push copies of the BlackHole Exploit Kit," Daniel Wesemann of the SANS ISC wrote over the weekend. "The IP range used changes about every three, four days:
188.247.135.37 in use until Dec 2, AS34714, Opticnet, Romania 146.185.245.72 in use until Dec 5, AS43215, Monyson Group, Russia 91.196.216.50 in use since Dec 6, AS43239, Spetsenergo, Russia
The attacks have been ongoing for at least a couple of months and while they're fairly simple in theory, researchers haven't necessarily been able to figure out how the attackers have managed to compromise the domains and get access to the DNS records to add their own sub-domains. What's happened is that attackers have been able to alter the domain records of dozens of existing, legitimate sites, including local government agencies, small businesses, community banks and others and then inserted new sub-domain names into the records.
So the new sub-domains might look something like this: payday-loans.smalltownbank.com. This small bank would likely have a good reputation built up in the various blacklisting and reputation systems out there and the attackers are able to ride on top of that and give themselves more credibility in the search-engine rankings. That means more users will find their domains in search results and potentially land on the sites, winding up on an order page for fake Viagra or shady personal loans instead of whatever they were searching for. The folks at the SANS Internet Storm Center have been looking into the attacks and have identified dozens of domains that have been affected and poisoned with the insertion of a slew of skeevy sub-domains pushing fake pharmaceuticals, loans and other Internet spam staples.
"The problem is only slowly starting to surface in the Google search results, but it is plenty evident in passive DNS loggers like RUS-CERT's: http://www.bfk.de/bfk_dnslogger.html?query=91.196.216.50#result The domains affected have been abused for the past several days to push copies of the BlackHole Exploit Kit," Daniel Wesemann of the SANS ISC wrote over the weekend. "The IP range used changes about every three, four days:
188.247.135.37 in use until Dec 2, AS34714, Opticnet, Romania 146.185.245.72 in use until Dec 5, AS43215, Monyson Group, Russia 91.196.216.50 in use since Dec 6, AS43239, Spetsenergo, Russia
No comments:
Post a Comment