back to article Insane in the domain: Sea Turtle hackers pwn DNS orgs to dash web surfers on the rocks of phishing pages

Internet domain registrars and at least one registry were hijacked to change certain websites' DNS settings so that visitors to said sites were in fact directed to password-stealing phishing pages, researchers detailed on Wednesday. It is believed this is the first time state-backed miscreants have compromised web domain …

  1. aregross

    "...having a plan prepared for network-wide password resets in the event of an attack."

    I like that, but would it kick everybody out at the same time and make them log back in?

  2. Nick Kew Silver badge

    Turtles all the way down ...

    If your DNS gets hijacked, there goes your email. Even if everything sensitive is encrypted, it's another obstacle in the way of communicating with your service providers to sort things out. Especially if they have a process - like password reset - that relies on email, and the staff have been trained that anyone asking to bypass an email step is trying a scam.

  3. Anonymous Coward
    Anonymous Coward

    TLS Certificates?

    valid TLS certificates? Nasty.

    1. Anonymous Coward
      Anonymous Coward

      Re: TLS Certificates?

      What about the certificate creation process makes you think certs are trustworthy?

      1. Anonymous Coward
        Anonymous Coward

        Re: TLS Certificates?

        "What about the certificate creation process makes you think certs are trustworthy?"

        The TLS evangelists are too busy sweeping concerns about certs under the carpet to hear you.

        1. GnuTzu Silver badge

          Re: TLS Certificates? -- In Depth

          Defense in depth: guard the registry, guard the private keys, do vulnerability management, do pen. tests, and all of this in concert with TLS, etc. How is this new?

    2. Crazy Operations Guy Silver badge

      Re: TLS Certificates?

      It'd be trivial. Compromise the DNS records, redirect to your web-servers, go and grab a "Let's Encrypt" certificate and boom, you now have a legitimate certificate for your scam with users none the wiser, unless they religiously check the issuer of the certificate and know who normally issues the certificates for that particular website.

      1. Jamie Jones Silver badge

        Re: TLS Certificates?

        ... and of course, if the original site used 'lets encrypt' then you'd be none the wiser, and also, DNS CAA wouldn't work...

  4. STOP_FORTH
    Trollface

    I told you so

    DNS apocalypse on the way!

  5. sitta_europea Bronze badge

    Isn't this why we have DNSSEC?

    1. LDS Silver badge

      I t would be of little help, if an attacker gained control of the DNS and can manipulate the DNS entries directly.

      1. sitta_europea Bronze badge

        [quote]It would be of little help, if an attacker gained control of the DNS and can manipulate the DNS entries directly.[/quote]

        Er, there's a chain of signed, trusted records all the way up to the root. You just have to follow it.

  6. Dr Who

    WTF???

    Computer systems within a registry and registrar were infected by tricking employees into opening spear-phishing emails laden with malware from sometime around January 2017, and continuing through the first quarter of 2019.

    Really? For two years? In not just registrars but *registries*! Gordon Bennett. We're all doomed.

  7. HieronymusBloggs

    Sea Turtles

    "tricking employees into opening spear-phishing emails laden with malware"

    Did they use shell code?

  8. A random security guy

    Username/passwd vs Fido2 dongle?

    Is having a username/passwd the ultimate sin here?

    Would a 2FA dongle be a better solution? It seems like the quicker we move, the better it will be for all of us.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019