Hackers try to hijack Facebook, other high profile domains through domain registrar

Some registration information for facebook.com was changed, but the domain was not redirected to an unauthorized server

The Syrian Electronic Army (SEA), a group of hackers who have made a habit of hijacking high-profile domain names, managed to change the domain registration information for Facebook.com, but failed to redirect the domain to a different server.

The hackers posted screen shots Thursday on Twitter from what appeared to be the administration panel of a San Francisco-based company called MarkMonitor that manages domain names on behalf of large enterprises. The company's services focus on online brand protection and anticounterfeiting.

MarkMonitor's domain management service "ensures domains are safe with a 'hardened' portal and a full suite of premium security solutions, including advanced security measures at the registrar level -- and, security services to lock domains down to the registry level," the company's website says.

It seems that SEA targeted MarkMonitor in order to attack Facebook in particular as the company celebrated its 10th anniversary Tuesday. The group used the MarkMonitor control panel to modify the WHOIS information for facebook.com, changing the domain's contact address to Damscus, Syria.

The hackers failed to modify the domain's DNS (domain name system) settings and point the website to a server under their control, as they did in the past with the domain names of other companies. That's because facebook.com has a registry lock in place, a feature that requires additional human-based verification at the registry level for making changes to a domain name. The registry for the .com TLD zone is VeriSign.

It's not clear how SEA obtained access to the MarkMonitor control panel, but from other screen shots published by the hackers, the panel also gave them access to the domain names of Amazon, Google, Yahoo and many other well-known companies from different industries.

Domain whois queries for amazon.com, google.com and yahoo.com all show MarkMonitor as the registrar, but like facebook.com, all of those domain name have the "clientUpdateProhibited" flag which indicates the presence of a registry lock. This means SEA wouldn't have been able to hijack those domain names either.

MarkMonitor, which is owned by Thomson Reuters, did not immediately respond to an inquiry seeking more information about the attack.

Facebook declined to comment, but its domain's whois information was quickly corrected following the incident.

SEA's modus operandi involves launching spear phishing attacks against employees of the companies they target in order to obtain sensitive credentials. Spear phishing is a targeted form of phishing, which involves tricking people into divulging their login information or installing malicious software.

In August the hacker group used phishing to compromise a reseller account at an Australian domain registrar and IT services company called Melbourne IT. The hackers used the account to change the name server records for several domains including nytimes.com, sharethis.com, huffingtonpost.co.uk, twitter.co.uk and twimg.com.

Last month they managed to post rogue messages on the official Microsoft and Office blog sites after first gaining access to the email accounts of some of the company's employees.

SEA normally hijacks domain names in order to deface the websites they target and display pro-Syria messages to their visitors, as group publicly supports Syrian President Bashar al-Assad and his government. However, this kind of attack can also be used for more nefarious purposes. Instead of political messages, attackers could display a phishing page to steal user credentials or serve exploits to infect computers with malware.

Security experts repeatedly advised companies to protect their domain names by putting registry locks in place for them. VeriSign offers this service for domain names in the .com, .net, .tv, .cc and .name TLD zones.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags GoogleFacebookYahooamazononline safetyintrusionVeriSignThomson ReutersAccess control and authenticationMarkMonitor

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Lucian Constantin

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?