Massive domain hijacking at registrar Gandi
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!
July 14, 2017
We just learned this morning that more than 750 domain names were hijacked through the Web's own systems, domain registrar Gandi has admitted.
Late last week, an unknown individual managed to get ahold of the company's login credentials to one of its main technical providers, which then connects to no fewer than 27 other top-level domains, including .asia, .au, .ch, .jp and .se.
Using that same login, the attacker then simply managed to change all the domain details on the official nameservers for 751 other domains on a range of top-level domains, and redirect them all to a specific website serving up malware and viruses.
Incredibly, the changes went unnoticed for four long hours until one of the registry operators reported the suspicious changes to management.
Within about an hour-and-a-half, Gandi's technical team identified the issue, changed all the login credentials and started the huge task of reverting all the changes made, a process that took almost 4 hours.
Taking into account the various delays in updating the DNS information, the domain names had been hijacked for anywhere between 8 and 11 hours, Gandi's management admits.
Ironically, one website impacted by the attack was Swiss information security company SCRT, which has written a blog post about the hijack on its website.
Gandi said that all of its emails were also redirected during the attack. The company said that "despite the fact that this incident was entirely out of our control," it has since added extra security around its website and DNS, including:
Gandi meanwhile has since reset all its logins and has launched a security audit of its entire infrastructure in an effort to determine how its logins were stolen in the first place.
"We apologize that this incident occurred," said its report. "Please be assured that our priority remains on the security of your data and that we will continue to protect your security and privacy."
The security breach comes in the same week that a botched back-end handover of the .io top-level domain enabled a security researcher to register four of the seven domain names acting as the nameservers for registry and potentially redirect tens of thousands of domains to a malicious website.
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.