Hackers Target High Profile Domains

During the last days, several high profile domains have been defaced including domains from two prominent security companies. In addition to these, high profile domains such as, and were also defaced. From our quick analysis It does not seem that the actual webserver has been compromised, the most possible attack vector was that the DNS have been hijacked.

When looking into this, there are some quite obvious traces but nothing that really confirms what the hackers did; or what kind of information they were able to obtain. When analyzing previous compromises and defaces it seems that there is a “new” trend within hacking groups and defacers to go for the DNS or domain registrars instead of compromising the actual webserver. When quickly analyzing the domain there were two indicators that stood out.

The domains who were compromised yesterday and today all had an very recent update record in their DNS, and they were all using the same DNS registrar – NETWORK SOLUTIONS, LLC.

Another interesting thing is that all domains that was attacked yesterday and today only had the status: “clientTransferProhibited” while the domain who was updated 10 September 2013 also had additional “server” settings enabled. If this is related to the attack is very difficult to say.

Between the targets that were attacked, one very big hosting provider, LeaseWeb, wrote about their DNS compromise on their blog:

Interestingly, after the compromise, LeaseWeb moved to a new registrar – KeySystems Gmbh.

At the moment we do not know if NETWORK SOLUTIONS were compromised, or if the attackers simply got hold of control panel logins by other methods such as bruteforcing. Additional to the DNS redirection/hi-hacking attack, were they only out for spreading a political message or are they actually leveraging an unknown exploit?

UPDATE:2013-10-08 16:30: Avira confirms that Network Solutions was hacked. More information about this can be found at the following article from Softpedia:

At the time of writing, we do not know yet, but we really recommend that you update to the latest available product and signature database because there might be more compromised domains out there.

An image of the defaced website is found below:


Hackers Target High Profile Domains

Your email address will not be published. Required fields are marked *



Meet the GoldenJackal APT group. Don’t expect any howls

GoldenJackal is an APT group, active since 2019, that usually targets government and diplomatic entities in the Middle East and South Asia. The main feature of this group is a specific toolset of .NET malware, JackalControl, JackalWorm, JackalSteal, JackalPerInfo and JackalScreenWatcher.

APT trends report Q1 2023

For more than five years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. These summaries are based on our threat intelligence research; and they provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports.

Subscribe to our weekly e-mails

The hottest research right in your inbox