Hoaxes ‘abused’ se­cu­rity weak­ness, re­searchers say

The Charlotte Observer (Sunday) - - Stay Connected - BY TIM JOHN­SON tjohn­[email protected]­clatchydc.com Tim John­son: 202 383- 6028, @timjohn­son4

A bomb threat hoax that mo­bi­lized po­lice de­part­ments across the coun­try last month took ad­van­tage of an ob­scure se­cu­rity weak­ness at web host­ing and do­main registry ser­vices like GoDaddy.com, re­searchers say.

The weak­ness al­lowed spam­mers to ob­scure the ori­gins of thou­sands of ex­tor­tion emails they sent out as part of the hoax cam­paign, said Ron­ald Guil­mette, a veteran spam re­searcher based near Sacra­mento.

GoDaddy ac­knowl­edged in a state­ment sent to McClatchy that hack­ers had “abused” its ser­vice, and said em­ploy­ees had “iden­ti­fied a fix and are tak­ing cor­rec­tive ac­tion im­me­di­ately.”

Other com­puter ex­perts backed up Guil­mette’s find­ings and noted that GoDaddy was an un­in­ten­tional con­duit for the bomb hoax cam­paign, which ap­pears to have orig­i­nated in Rus­sia, and that a cou­ple of other small com­pa­nies also were abused by spam­mers.

The se­cu­rity weak­ness al­lowed spam­mers to hi­jack dor­mant do­main names of For­tune 500 com­pa­nies, in­sti­tu­tions, uni­ver­si­ties and other en­ti­ties hosted by com­pa­nies like GoDaddy. com and send their spam us­ing those do­mains, pass­ing through spam fil­ters that give a green light to email from trusted own­ers, Guil­mette found.

He tracked the bomb hoax spam emails and found the vast ma­jor­ity moved through 3,971 web­sites – or do­mains – pri­mar­ily at GoDaddy, a Scottsdale, Ariz., com­pany that is also the world’s largest reg­is­ter of do­main names with more than 40 mil­lion such names un­der man­age­ment.

The ex­tor­tion­ists sent out thou­sands of emails Dec. 13 de­mand­ing $20,000 in bit­coin in or­der to de­ac­ti­vate what they said were bombs placed in the premises of the re­cip­i­ents.

In dozens of cities – in­clud­ing San Fran­cisco, Chicago, Mi­ami, St. Louis and Bos­ton – emer­gency per­son­nel swarmed in re­sponse to the bomb threats, or­der­ing build­ing clo­sures and lock­downs. Po­lice swept build­ings at Penn State and the Univer­sity of Wash­ing­ton, and ex­ec­u­tives evac­u­ated news­rooms, in­clud­ing at The News and Ob­server in Raleigh, N.C.

The threats cas­caded to other ar­eas, in­clud­ing Canada, New Zealand, Aus­tralia and Hong Kong.

Guil­mette said he be­gan track­ing the path of the spam emails af­ter learn­ing of them Dec. 13 and im­me­di­ately saw that the ex­tor­tion­ists had gained con­trol of dor­mant web ad­dresses orig­i­nally ob­tained by rec­og­niz­able en­ti­ties, like Mas­sachusetts In­sti­tute of Tech­nol­ogy and Yale Univer­sity, Ex­pe­dia, US Steel, Master­card, Warner Broth­ers En­ter­tain­ment and even from the Church of Scien­tol­ogy.

“None of these com­pa­nies is guilty of any­thing but leav­ing these old do­main names dan­gling,” Guil­mette said, adding that in nearly all cases the do­mains had been reg­is­tered years ear­lier but were un­used.

Through a vul­ner­a­bil­ity in the au­then­ti­ca­tion and ver­i­fi­ca­tion process used in do­main con­trols, the hack­ers were able to com­man­deer un­used do­mains and route vic­tims in a dif­fer­ent di­rec­tion.

“They were pointed at IP ad­dresses lo­cated on var­i­ous Rus­sian net­works,” Guil­mette said, re­fer­ring to the in­ter­net pro­to­col sys­tem for rout­ing in­ter­net traf­fic. The vast ma­jor­ity pointed at sites reg­is­tered by reg.ru, the largest Rus­sian do­main reg­is­trar.

Given the Rus­sian an­gle, Guil­mette nick­named the ex­tor­tion group Spammy Bear, echo­ing the names Cozy Bear and Fancy Bear given to two ma­jor hack­ing teams linked to Rus­sian se­cu­rity ser­vices or mil­i­tary units that in­ter­fered in the 2016 U.S. pres­i­den­tial cam­paign.

GoDaddy spokesman Dan Race didn’t say pre­cisely how hack­ers took ad­van­tage of the com­pany’s dor­mant do­mains, only that no cus­tomer in­for­ma­tion was ex­posed.

Ac­cord­ing to Guil­mette, a tiny per­cent­age of the spam emails moved through do­mains hosted by two smaller U.S. do­main name providers, Cincin­nati-based NetDorm Inc., and Reprise Host­ing, which lists a post of­fice box in Las Ve­gas

Fel­low ex­perts on do­main registry said Guil­mette’s re­search was solid.

“He checks out, ac­tu­ally, as a le­git­i­mate re­searcher who knows what he’s talk­ing about,” said Mike Si­mon, chief tech­nol­ogy of­fi­cer at Crit­i­cal In­for­mat­ics, a Seattle-area cy­ber­se­cu­rity firm.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.