Mass domain hijack leaves Reg reader angry with 123-Reg

'I had to sort everything by myself' alleges irate chap

Using blade systems to cut costs and sharpen efficiencies

Updated A customer of domain name and web hosting provider 123-reg blames the firm for a domain hack that redirected surfers to malicious sites pushing a ransomware scam.

The problem was compounded, according to the aggrieved customer, when 123-reg support staff purportedly forgot to tell the customer when they found that the account had been compromised. He alleges they made matters worse by consistently ignoring support requests.

The customer's main sites were hosted with 123-reg’s partner company WebFusion. The person involved, who wishes to remain anonymous, first approached this hosting provider before he eventually realised 123-reg was at the centre of the problem, some days later. 123-reg and WebFusion are both owned by Host Europe Group.

“I went round in circles for three days,” the customer told El Reg. "WebFusion’s techs were telling me that there was nothing wrong, but I kept getting notifications that other sites were also hit. When I asked them to run a low-level scan on the server they simply sent me a link to a site on how to learn Linux.”

Clients of the customer alerted him that their domains were being redirected to a ransomware site on 21 January. Surfers who attempted to visit the affected sites were served malicious code which locked their browsers and falsely warned them they had been caught downloading images of child abuse, in an attempt to extort them into paying a "fine".

Luckily no malicious code was pushed directly into visitors' machines and the browser lock-up problem could be resolved by the judicious use of control-alt-delete.

DNS settings malfeasance

After scanning his servers for malware, the customer drew a blank – but was eventually able to narrow down the cause of the problem to DNS settings manipulation.

"My original thought was that this was a problem with my Webfusion servers. It was only when I received an email reporting an issue on a domain I’ve not created a website for that I realised this was an issue with my domain name registrar," he explained.

“All 120+ domain names had been set to auto-expire; half were redirected to spurious locations and more than a third had compromised DNS, with additional DNS redirects to these ransom sites. I had to go through every single account, one by one, and check every setting. 123-reg, while trying to be helpful, didn’t do a thing.”

The problem was eventually resolved on 24 January but the customer was left dissatisfied by the whole incident, and in particular 123-reg's handling of the problem.

The dodgy domains promoted through the scam were of the form abuse-police(dot)domain(dot)com.

In response to queries from El Reg on the matter, 123-reg spokespersons have stated that the company can't as yet release details of its own internal probe into the matter as it has not received the permission of the customer to do that. However the company did say:

What we can confirm is at this point all indications are that 123-reg has had no compromise of its systems – but they are working to fully verify this. It appears the accountholder's security has been compromised but not through 123-reg’s systems.

123-reg has had related problems in the past. A security hole within 123-reg's management console resulted in the hijacking of 300 domains back in 2012, a problem exclusively revealed by The Reg in March 2013. That problem was eventually tracked down to an open account control panel that had allowed changes to be made without adequate authentication.

Nominet subsequently told us three other registrars had also been affected.

Traffic hijacking

Fraser Howard, a senior virus researcher at UK-based security firm SophosLabs, was able to confirm that the dodgy domains prompted through the scam, and ones like them, were receiving a lot of traffic over the relevant period in January. Sophos wasn't able to say where the traffic originated from.

It might well be that customers of other domain registrars were also affected. All Sophos is able to say for sure is that the scam generated plenty of traffic and the malware involved was among the five most common strains it detected over the relevant period in late January.

"This IS something we have seen. In quite high volume in fact," Howard told El Reg by email.

"Numerous other sites have been similarly affected - or more specifically, DNS settings for such sites have been affected," Howard told El Reg. "I can confirm that the target of the 'traffic hijack' is a malicious web page designed to 'lock' your browser. Sophos detects this malicious HTML/JS as Troj/Ransom-AFD.

"The page contains the typical social engineering intended to trick the user into paying up. For example, claiming to be FBI and have detected child pornography on the machine. Lo and behold, there is a form for the user to make a payment via MoneyPak," Howard added.

The same scam is still ongoing albeit to a lesser extent than in the second half of January, when it hit a peak.

"We are still seeing detections of Troj/Ransom-AFD in customer feedback to this day,” Howard explains. "During the second half of January, Troj/Ransom-AFD was the fifth most prevalent web threat we detected on customer endpoints.

"Curiously, earlier in January, between approx. January 8-20, we were seeing the same attacks, but using outright evil domains, registered for the purpose. [This used] exactly same type of attack - HTML/JS to lock the browser - but using what appears to be throwaway freshly registered dot com registrations. All using subdomain strings to try and make it appear believable," he added.

In some cases, the user is not redirected to ransomware page but a porn site instead.

"Hacking customer DNS settings is done in order to evade reputation filtering technologies. It is not new”, Fraser concluded. Attacks using similar methods date back to at least late 2012.

'Alert police' ransomware

The 123-reg customer seems to have fallen victim to a type of DNS setting manipulation attack that Fraser suspects was carried out using compromised passwords.

"Understanding how the customer accounts were compromised such that DNS settings were updated would be useful. Compromised passwords perhaps? Users need to realise that their DNS config is the key to the kingdom, and as such should be well secured."

The affected 123-reg customer has changed all the passwords for the sites he administers but is still concerned, in the absence of a clear explanation of what happened, about what other steps he might need to take to prevent a repetition of the attack.

Net security firm Malwarebytes also witnessed "Alert-police" ransomware scams in action over recent days.

"'Alert-police' has shown up in a number of different URLs over the last few days, and they seem to follow a similar pattern to the above, so there's a good chance they're all related," Chris Boyd, malware intelligence analyst at Malwarebytes, told El Reg.

Malwarebytes has not seen the domains mentioned by the 123-reg customer in action – El Reg's understanding is that these have been shown the red card – but it does have some theories on how the attack might have been pulled off.

"It's possible the attackers have gone down the typical route of social engineering the registrar or used a targeted malware attack to gain access to various credentials," Boyd explained.

"This seems to be a fairly standard ransomware campaign - IPs tied to the Russian Federation, potentially compromised URLs mixed in with custom built sites and geographically targeted scare pages," he added. ®

Updated to Add

Since publication of this piece, 123-reg representatives have been in touch with further details. We reproduce their email here in part (verbatim except where noted):

We seek a public redress for the misleading article you published, which [is] potentially damaging to our brand and reputation ...

The allegation that 123-reg was to blame for a customers’ account being compromised is incorrect.

We have evidence to show that the customers’ password was used to access the account and change the settings on it ...

The customer alleged that his account was blocked – we would like to clarify that this did happen at the point we were made aware there was a problem. Our fraud team do this automatically until we can establish why such a compromise has occurred and in the interests of protecting our network. The customer in this instance now has full and complete access to his account ...

We look forward to seeing your published acknowledgement of this piece and our statement in line with this as per the above.

Boost IT visibility and business value

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story


Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.