Alao25
11-26-2007, 12:58 AM
Hackers Abuse Domain-Name Trust--Shanghai IDC Network Information Technology Co., Ltd
Domain name news brought to you by Shanghai IDC Network Information Technology Co., Ltd
Using variations on trusted, popular domains has long been a common tactic for scammers,
spammers and porn sites. But cyber criminals have devised a new twist on the misspelled domain-
name trick by hijacking IP addresses. And they tried it on Yahoo.
To fix the old problem, server-based security products would trace the IP address of the server
behind the domain. Once the IP address resolved the misspelled domain name, the products would
then compare the IP address against a database of known fraudulent sites or questionable
locations. So if a site were masquerading as eBay but the filters found it was really a server
in China that had only been established one week earlier, it would block access.
In the case of Yahoo, security firm Finjan said hackers exploited an unused IP address within
Yahoo's hierarchy and used that as the domain address behind a forged Google Analytics domain
name. This fooled the Web-filtering products into believing a person was going to a highly
trusted Yahoo domain. The victims never knew they were on a malicious Web site, and neither did
the security mechanisms on the network.
"They managed to resolve the domain name to an IP address owned by Yahoo. How they added an
address into a DNS server to appear to be an IP address owned by Yahoo is unknown," Yuval Ben-
Itzhak, CTO of Finjan, told InternetNews.com. He added that Yahoo, while responsive and quick to
shut down the compromised address, did not disclose exactly what equipment was behind the
compromised IP address.
Ben-Itzhak thinks something in the server was broken that enabled the bad guys to push that
content down to users without Yahoo knowing. He said that's a flaw in social networks.
"In 2007, something very clear has come out: these Web 2.0 sites are great fun but also a great
platform for hackers to host malicious code as well," said Ben-Itzhak. "You can upload anything
you like, so you can upload malicious content, as well. On MySpace we found hundreds of pages
with malicious code this year."
Ben-Itzhak said server-based security is still the primary mode of defense but also recommended
browser plug-ins, such as Finjan's SecureBrowsing or Exploit Prevention Labs' LinkScanner, both
of which scan the actual content coming over the wire from a site and alert the user if it's
suspicious.
Domain name news brought to you by Shanghai IDC Network Information Technology Co., Ltd
Using variations on trusted, popular domains has long been a common tactic for scammers,
spammers and porn sites. But cyber criminals have devised a new twist on the misspelled domain-
name trick by hijacking IP addresses. And they tried it on Yahoo.
To fix the old problem, server-based security products would trace the IP address of the server
behind the domain. Once the IP address resolved the misspelled domain name, the products would
then compare the IP address against a database of known fraudulent sites or questionable
locations. So if a site were masquerading as eBay but the filters found it was really a server
in China that had only been established one week earlier, it would block access.
In the case of Yahoo, security firm Finjan said hackers exploited an unused IP address within
Yahoo's hierarchy and used that as the domain address behind a forged Google Analytics domain
name. This fooled the Web-filtering products into believing a person was going to a highly
trusted Yahoo domain. The victims never knew they were on a malicious Web site, and neither did
the security mechanisms on the network.
"They managed to resolve the domain name to an IP address owned by Yahoo. How they added an
address into a DNS server to appear to be an IP address owned by Yahoo is unknown," Yuval Ben-
Itzhak, CTO of Finjan, told InternetNews.com. He added that Yahoo, while responsive and quick to
shut down the compromised address, did not disclose exactly what equipment was behind the
compromised IP address.
Ben-Itzhak thinks something in the server was broken that enabled the bad guys to push that
content down to users without Yahoo knowing. He said that's a flaw in social networks.
"In 2007, something very clear has come out: these Web 2.0 sites are great fun but also a great
platform for hackers to host malicious code as well," said Ben-Itzhak. "You can upload anything
you like, so you can upload malicious content, as well. On MySpace we found hundreds of pages
with malicious code this year."
Ben-Itzhak said server-based security is still the primary mode of defense but also recommended
browser plug-ins, such as Finjan's SecureBrowsing or Exploit Prevention Labs' LinkScanner, both
of which scan the actual content coming over the wire from a site and alert the user if it's
suspicious.