Forgot your password?
typodupeerror
Security Communications Networking

Want To Hijack a Domain? Just Get a Fax Machine 162

Posted by Soulskill
from the why-are-fax-machines-still-a-thing dept.
msm1267 writes "Metasploit's HD Moore says hackers sent a spoofed DNS change request via fax to Register.com that the registrar accepted, leading to a DNS hijacking attack against the Metasploit and Rapid7 websites. The two respective homepages were defaced with a message left by the same hacker collective that claimed responsibility for a similar DNS attack against Network Solutions. Rapid7 said the two sites' DNS records have been locked down and they are investigating."
This discussion has been archived. No new comments can be posted.

Want To Hijack a Domain? Just Get a Fax Machine

Comments Filter:
  • Really by fax? (Score:4, Interesting)

    by yakatz (1176317) on Friday October 11, 2013 @01:19PM (#45102999) Homepage Journal
    The only evidence actually quoted that the attack was by faxed change request is the defaced website. Do we trust the "hackers" that much that we believe they made the change by sending a fax? Could the group be giving a red herring [wikipedia.org]?
  • by Tridus (79566) on Friday October 11, 2013 @01:59PM (#45103413) Homepage

    I had to do this recently for a legitimate reason. A friend had bought a small hobby type operation (including the domain), but the old owner forgot to change the domain ownership over and dropped off the grid. It wasn't really a problem until we wanted to change hosting providers, at which point we couldn't update the DNS settings.

    Since we actually had control of the domain, I used the account that was listed as the admin contact to send an email to the registrar explaining the situation and asking if they could change the info for us. Without any validation whatsoever they sent me the username and password (apparently stored in clear text) for the account, allowing me to do anything I wanted with it.

    Thankfully I don't use that registrar for my own stuff. I expected at least to have to show some proof of ownership or something.

  • by nine-times (778537) <nine.times@gmail.com> on Friday October 11, 2013 @02:40PM (#45103779) Homepage

    Honestly, it does work a lot. I work in IT and have had to help clients get control of various kinds of accounts to which they have lost usernames, passwords, and other vital information. You know, things like, "A previous employee bought our domain name and set up the DNS for us using his personal account. His name is on the account. We don't know what the associated email address is. We certainly don't have the password. We've tried contacting this ex-employee, and found that his phone number doesn't work anymore."

    And really, you'd be surprised what you can get if you call up, sound professional and honest, and just ask people to help you out. Domain registrations are generally kind of a pain in the butt, but even those usually just require some faxed documentation. I've had some accounts (not domain registrations) where the support basically said, "Oh, you're supposed to have access? Let me just reset the password for you." It's pretty disturbing. But then I also legitimately need to do this sort of thing all the time because businesses rarely pay any attention to these things.

Things equal to nothing else are equal to each other.

Working...