JPCERT-AT-2014-0044
JPCERT/CC
2014-11-05
<<< JPCERT/CC Alert 2014-11-05 >>>
Alert on domain name hijacking by altering registration information
https://www.jpcert.or.jp/english/at/2014/at140043.html
I. Overview
JPCERT/CC has received multiple incident reports related to domain
name hijacking of .com domain names used by domestic organizations
through the altering of registration information.
Effects of domain name hijacking through the altering of registration
information for the domain name (herein, registration information) have
been confirmed. For example, the name resolution when a user attempts to
visit the website results in accessing an unintended IP address where an
attacker has prepared a server.
Systems that provide services using domain names, such as websites may
be affected by this domain hijacking attack through the altering of
registration information. In order to minimize the effects of an attack,
please consider the following solutions and workarounds.
II. Affected Systems
This alert is targeted towards domain name registrants and domain name
administrators.
III. Attack Method
We have not determined the root cause for all of the incidents received,
but it is believed that one of the four methods below were used for the
attack.
(1) Alter the registration information at the registrar by impersonating
the domain name registrant or domain name administrator
(2) Alter the registration information at the registrar by leveraging a
vulnerability in the registrar system
(3) Alter the registration information at the registry by impersonating
the registrar
(4) Alter the registration information at the registry by leveraging a
vulnerability in the registry system
IV. Solution
A solution for attack method (1) is to ensure that domain name registrants
and domain name administrators the ID / password and other authentication
information for maintaining registration information is stored safely so
that it cannot be used by a third party.
Attack methods (2), (3) and (4) are portions that are maintained by the
registrar or registry which is out of scope for this alert. Please consider
the following workaround in conjunction with any solutions.
V. Workarounds
Please consider the following workarounds so that you are able to detect
and handle any incidents related to registration information being altered
for any domains that are being maintained:
- Use the 'whois' command periodically to check if the registration
information, such as name server information is correctly configured
- Make sure that you have the registrar's contact information on hand
in the case of a registration information alteration incident
(*) JPCERT/CC has confirmed that altered registration information was
corrected within 1 - 2 days.
VI. References
Japan Registry Services Co., Ltd (JPRS)
(Critical) Domain name hijacking through registration information alteration and its solution
http://jprs.jp/tech/security/2014-11-05-unauthorized-update-of-registration-information.html
Japan Registry Services Co., Ltd (JPRS)
Supplement: Domain name hijacking through registration information alteration and its solution
http://jprs.jp/tech/security/2014-11-05-unauthorized-update-of-registration-information.pdf
If you are able to provide any information related to this alert,
please contact us.
Also, if you are able to provide any attack related information, please
report this to us through our Web form or via e-mail.
Web Form: https://form.jpcert.or.jp/
E-mail: info@jpcert.or.jp
======================================================================
JPCERT Coordination Center (JPCERT/CC)
MAIL: info@jpcert.or.jp
TEL: +81-3-3518-4600 FAX: +81-3-3518-4602
https://www.jpcert.or.jp/english/
Top