Oct 13 2013
I’m going to ignore the whole question of whether or not social engineering is ‘hacking’ for now. The difference between the two is mostly academic, since the effect of having your site hacked due to a weakness in the code and having all your traffic redirected to a site that the bad guys own is immaterial. Either way, your company is effectively serving up something other than the page you intended, which is what really matters.
There have been a number of high profile sites that have recently been attacked through their DNS registrar. Registrars are the companies who are responsible for keeping track of who owns which domains and providing the base DNS information for where to find the systems associated with a domain. In theory, they’re supposed to be some of the most heavily defended type of enterprise on the Internet. But the practice is different from theory, and even registrars have their weaknesses. In the case of Register.com, this appears to be social engineering attacks.
The latest victims of social engineering attacks were Rapid7 and the Metasploit project, as were AVG Antivirus, Avira and WhatsApp. What’s almost funny about the latest attack is that the attackers had to send a fax in as part of the change request to make the changes. To think that a technology that had it’s heyday in the 80’s would be the method used to attack companies in the second decade of the 21st century is amusing. Hopefully Register.com has already begun reviewing their processes to prevent a similar event from happening again in the future. And, again hopefully, other registrars are learning from the mistakes of Register.com and reevaluating their own processes.
There is something companies can do to lessen the chance of a similar attack happening to them, called a registrar lock. This isn’t a step a lot of companies have taken yet, since it slows down the change process by requiring the administrator to first unlock the domain before making any changes, a step that has varying complexity depending on the registrar. Also, not all registrars support locking, so this isn’t always an available option. If your registrar doesn’t support registrar locking, it’s time to push for it or consider a new registrar. That last part usually gets their attention.
I do understand the pressure the registrars are under; on one hand they have to secure their clients’ DNS records, but on the other they have to be flexible for clients who have a hard time understanding the basics of DNS. It’s not an enviable position to be in. Which is why registrars have to work harder to prepare for social engineering attacks than most other businesses out there. But understanding the pressure doesn’t mean I cut them any slack for failing in their duty.
Update: Add two more to the compromised list, Bitdefender and ESET. And again Register.com is the common point of weakness.