RealTime IT News

Hackers Abuse Domain-Name Trust

Using variations on trusted, popular domains has long been a common tactic for scammers, spammers and porn sites. But cyber criminals have devised a new twist on the misspelled domain-name trick by hijacking IP addresses. And they tried it on Yahoo.

To fix the old problem, server-based security products would trace the IP address of the server behind the domain. Once the IP address resolved the misspelled domain name, the products would then compare the IP address against a database of known fraudulent sites or questionable locations. So if a site were masquerading as eBay but the filters found it was really a server in China that had only been established one week earlier, it would block access.

In the case of Yahoo, security firm Finjan said hackers exploited an unused IP address within Yahoo's hierarchy and used that as the domain address behind a forged Google Analytics domain name. This fooled the Web-filtering products into believing a person was going to a highly trusted Yahoo domain. The victims never knew they were on a malicious Web site, and neither did the security mechanisms on the network.

"They managed to resolve the domain name to an IP address owned by Yahoo. How they added an address into a DNS server to appear to be an IP address owned by Yahoo is unknown," Yuval Ben-Itzhak, CTO of Finjan, told InternetNews.com. He added that Yahoo, while responsive and quick to shut down the compromised address, did not disclose exactly what equipment was behind the compromised IP address.

Ben-Itzhak thinks something in the server was broken that enabled the bad guys to push that content down to users without Yahoo knowing. He said that's a flaw in social networks.

"In 2007, something very clear has come out: these Web 2.0 sites are great fun but also a great platform for hackers to host malicious code as well," said Ben-Itzhak. "You can upload anything you like, so you can upload malicious content, as well. On MySpace we found hundreds of pages with malicious code this year."

Ben-Itzhak said server-based security is still the primary mode of defense but also recommended browser plug-ins, such as Finjan's SecureBrowsing or Exploit Prevention Labs' LinkScanner, both of which scan the actual content coming over the wire from a site and alert the user if it's suspicious.