Hackers try to hijack Facebook, other high profile domains through domain registrar

Some registration information for facebook.com was changed, but the domain was not redirected to an unauthorized server

The Syrian Electronic Army (SEA), a group of hackers who have made a habit of hijacking high-profile domain names, managed to change the domain registration information for Facebook.com, but failed to redirect the domain to a different server.

The hackers posted screen shots Thursday on Twitter from what appeared to be the administration panel of a San Francisco-based company called MarkMonitor that manages domain names on behalf of large enterprises. The company's services focus on online brand protection and anticounterfeiting.

MarkMonitor's domain management service "ensures domains are safe with a 'hardened' portal and a full suite of premium security solutions, including advanced security measures at the registrar level -- and, security services to lock domains down to the registry level," the company's website says.

It seems that SEA targeted MarkMonitor in order to attack Facebook in particular as the company celebrated its 10th anniversary Tuesday. The group used the MarkMonitor control panel to modify the WHOIS information for facebook.com, changing the domain's contact address to Damscus, Syria.

The hackers failed to modify the domain's DNS (domain name system) settings and point the website to a server under their control, as they did in the past with the domain names of other companies. That's because facebook.com has a registry lock in place, a feature that requires additional human-based verification at the registry level for making changes to a domain name. The registry for the .com TLD zone is VeriSign.

It's not clear how SEA obtained access to the MarkMonitor control panel, but from other screen shots published by the hackers, the panel also gave them access to the domain names of Amazon, Google, Yahoo and many other well-known companies from different industries.

Domain whois queries for amazon.com, google.com and yahoo.com all show MarkMonitor as the registrar, but like facebook.com, all of those domain name have the "clientUpdateProhibited" flag which indicates the presence of a registry lock. This means SEA wouldn't have been able to hijack those domain names either.

MarkMonitor, which is owned by Thomson Reuters, did not immediately respond to an inquiry seeking more information about the attack.

Facebook declined to comment, but its domain's whois information was quickly corrected following the incident.

SEA's modus operandi involves launching spear phishing attacks against employees of the companies they target in order to obtain sensitive credentials. Spear phishing is a targeted form of phishing, which involves tricking people into divulging their login information or installing malicious software.

In August the hacker group used phishing to compromise a reseller account at an Australian domain registrar and IT services company called Melbourne IT. The hackers used the account to change the name server records for several domains including nytimes.com, sharethis.com, huffingtonpost.co.uk, twitter.co.uk and twimg.com.

Last month they managed to post rogue messages on the official Microsoft and Office blog sites after first gaining access to the email accounts of some of the company's employees.

SEA normally hijacks domain names in order to deface the websites they target and display pro-Syria messages to their visitors, as group publicly supports Syrian President Bashar al-Assad and his government. However, this kind of attack can also be used for more nefarious purposes. Instead of political messages, attackers could display a phishing page to steal user credentials or serve exploits to infect computers with malware.

Security experts repeatedly advised companies to protect their domain names by putting registry locks in place for them. VeriSign offers this service for domain names in the .com, .net, .tv, .cc and .name TLD zones.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags amazonVeriSignonline safetyThomson ReuterssecurityMarkMonitorAccess control and authenticationFacebookintrusionYahooGoogle

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?