What's In A Name? - SANS Internet Storm Center

"What's in a name? That which we call a rose
By any other name would smell as sweet." – Juliet, Romeo and Juliet (II, ii, 1-2)

"A good name is more desirable than great riches; to be esteemed is better than silver or gold." – Proverbs 22:1 (NIV)

A rose is a rose is a rose

What if I could hack your organization and abuse your company’s reputation – and what if I could do it without your firewall, IDS, IPS, or your host-based badware detection making a peep?

What if I could use your organization’s good name to sell ED drugs, questionable Facebook "apps," shady online "personal ads," or to distribute porn that would make a sailor blush?

What if I did all of that, and you didn’t know? What if the hack itself took place on a machine you didn’t directly control and only accessed rarely? And what if the hack was so subtle, so obscure, and so difficult to find that once I had it in place, it might be years before you ever stumbled across it – if you ever stumbled across it?

This nightmare scenario is, unfortunately, reality for at least 50 organizations – ones that I’ve been able to uncover – and I'm certain that there are many, many more. Each of these organizations has been a victim of a malicious alteration of their domain information – an alteration that added new machine names to their existing information, and allowed bottom-feeding scam artists to abuse their good reputation to boost the search-engine profile of their drug, app, "personal ad," or porn sites.

Take a look at the following table:

These sites...	Resolve To	While the main site...	Resolves To
buy-viagra.4kidsnus.com	67.55.117.204	www.4kidsnus.com	50.73.38.13
drugs-1501.abingtonurology.com	67.55.117.204	www.abingtonurology.com	74.208.98.50
personals-1501.abingtonurology.com
tubes-1501.abingtonurology.com
payday-loans.accessbank.com	74.220.215.210	www.accessbank.com	66.147.240.154
cialis.advancedsynthesis.com	74.50.13.17	www.advancedsynthesis.com	216.227.216.47
viagra.advancedsynthesis.com	74.50.13.17	www.advancedsynthesis.com	216.227.216.47
cialis.apptech.com	66.96.147.107	www.apptech.com	66.96.147.107
loans.apptech.com	66.96.147.107
viagra.apptech.com	66.96.147.106
buy-cialis.asfiusa.com	67.55.33.109	www.asfiusa.com	74.220.215.84
buy-viagra.asfiusa.com
mg-drugs.asfiusa.com
payday-loans.asfiusa.com
rx-drugs.asfiusa.com
facebook.blueagle.com	74.50.13.17	www.blueagle.com	209.200.244.56
buy-cialis.boothscorner.com	67.55.117.204	www.boothscorner.com	74.208.98.50
buy-viagra.boothscorner.com	67.55.117.204	www.boothscorner.com	74.208.98.50
24-buy-cialis.campsankanac.org	67.55.33.109	www.campsankanac.org	74.208.98.50
24-personals.campsankanac.org
buy-cialis.campsankanac.org
buy-viagra.campsankanac.org
viagra.cccsaa.org	74.50.13.17	www.cccsaa.org	216.227.214.82
buy-cialis.cfi.gov.ar	67.55.117.204	www.cfi.gov.ar	201.234.37.147
buy-viagra.cfi.gov.ar	67.55.117.204	www.cfi.gov.ar	201.234.37.147
mg-drugs.chesarda.org	65.254.250.103	www.chesarda.org	65.254.250.109
viagra.cranehighschool.org	74.50.13.17	www.cranehighschool.org	216.227.220.85
buy-cialis.dollardiscount.com	67.55.117.204	www.dollardiscount.com	74.208.98.50
buy-viagra.dollardiscount.com	67.55.117.204	www.dollardiscount.com	74.208.98.50
buy-cialis.eap.edu	74.220.215.210	www.eap.edu	66.147.240.167
buy-viagra.eap.edu
mgdrugs.eap.edu
payday-loans.eap.edu
rxdrugs.eap.edu
buy-cialis.ejercito.mil.do	74.220.215.210	www.ejercito.mil.do	74.220.215.113
buy-viagra.ejercito.mil.do
mgdrugs.ejercito.mil.do
payday-loans.ejercito.mil.do
rxdrugs.ejercito.mil.do
buy-cialis.elbertcounty-co.gov	74.220.215.210	www.elbertcounty-co.gov	74.220.207.155
buy-viagra.elbertcounty-co.gov
drugs.elbertcounty-co.gov
cheap-viagra.ellerbecreek.org	66.96.147.106	www.ellerbecreek.org	66.96.147.106
cialis-price.ellerbecreek.org
payday-loans.ellerbecreek.org
cialis-buy.esad.org	69.73.170.8	www.esad.org	69.73.185.194
payday-loan.esad.org
player.esad.org
translator.esad.org
buy-cialis.fabius-ny.gov	173.236.60.138	www.fabius-ny.gov	173.236.47.26
buy-viagra.fabius-ny.gov
payday-loans.fabius-ny.gov
personals.fabius-ny.gov
1-facebook.fwbl.com	173.236.60.138	www.fwbl.com	65.60.41.210
1-games.fwbl.com
1-payday-loans.fwbl.com
1translator.fwbl.com
payday-loans.fwbl.com
payday-loans.fwbl.com
translator2.fwbl.com
facebook-i.georgetownky.gov	69.73.170.8	www.georgetownky.gov	69.73.136.24
payday.georgetownky.gov
personals-d.georgetownky.gov
viagra-buy.georgetownky.gov
rx-drugs.golocalnet.com	65.254.250.103	www.golocalnet.com	65.254.250.105
mg-drugs.goodhope.com	66.96.147.106	www.goodhope.com	66.96.147.115
buy-cialis.hamwave.com	74.50.13.17	www.hamwave.com	209.200.245.66
buy-viagra.hamwave.com
payday.hamwave.com
buy-cialis.haskell.edu	74.220.215.210	www.haskell.edu	74.220.207.138
buy-viagra.haskell.edu
drugs-coog.haskell.edu
drugs.haskell.edu
cialis.hiwassee.edu	65.254.250.103	www.hiwassee.edu	65.254.250.110
drugs.hiwassee.edu
payday-loans.hiwassee.edu
buy-viagra.hothouse.net	66.96.147.106	www.hothouse.net	66.96.147.106
buy-cialis.iiehk.org	67.55.117.204	www.iiehk.org	58.177.188.240
buy-viagra.iiehk.org	67.55.117.204	www.iiehk.org	58.177.188.240
buy-viagra.karen.org	65.254.250.103	www.karen.org	65.254.250.109
facebook.lisboniowa.com	65.254.250.103	www.lisboniowa.com	65.254.250.114
payday-loans.lisboniowa.com
viagra.lisboniowa.com
cialis.medpharmsales.com	74.50.13.17	www.medpharmsales.com	216.227.214.82
buy-cialis.menalive.com	69.73.170.8	www.menalive.com	69.73.138.10
buy-viagra.menalive.com
drugs.menalive.com
facebook.menalive.com
payday-loans.menalive.com
buy-viagra.mvas.org	74.220.215.210	www.mvas.org	74.220.215.73
payday-loans.mvas.org	74.220.215.210	www.mvas.org	74.220.215.73
buy-cialis.nywolf.org	96.30.42.100	www.nywolf.org	96.30.42.100
buy-viagra.nywolf.org
payday-loans.nywolf.org
buy-cialis.okgolf.org	65.254.250.103	www.okgolf.org	65.254.250.101
loans.omill.org	69.73.170.8	www.omill.org	69.73.139.41
mg-drugs.omill.org
personals.omill.org
rx-drugs.omill.org
cialis.onyvax.com	173.236.60.138	www.onyvax.com	216.104.37.106
loans.onyvax.com
viagra.onyvax.com
drugs-1501.pattywagstaff.com	67.55.117.204	www.pattywagstaff.com	76.202.66.30
personals-1501.pattywagstaff.com
tubes-1501.pattywagstaff.com
1-payday-loans.qunlimited.com	173.236.60.138	www.qunlimited.com	173.236.37.194
1facebook.qunlimited.com	173.236.60.138	www.qunlimited.com	173.236.37.194
1-facebook.rivcoems.org	173.236.60.138	www.rivcoems.org	69.175.91.58
1-payday-loans.rivcoems.org
1player.rivcoems.org
buy-cialis.sacmetrofire.ca.gov	74.220.215.210	www.sacmetrofire.ca.gov	66.147.240.176
buy-viagra.sacmetrofire.ca.gov
drugs.sacmetrofire.ca.gov
mgdrugs.sacmetrofire.ca.gov
rxdrugs.sacmetrofire.ca.gov
buy-cialis.santafeproductions.com	74.50.13.17	www.santafeproductions.com	209.200.242.240
cialis.saturdaymarket.com	74.50.13.17	www.saturdaymarket.com	209.200.245.36
viagra.saturdaymarket.com	74.50.13.17	www.saturdaymarket.com	209.200.245.36
buy-cialis.seabury.edu	74.220.215.210	www.seabury.edu	66.147.240.183
buy-viagra.seabury.edu
drugs.seabury.edu
buy-cialis.symspray.com	66.96.147.106	www.symspray.com	66.96.147.103
buy-cymbalta.tcsys.com	67.55.117.204	www.tcsys.com	99.20.97.250
buy-lexapro.tcsys.com
buy-viagra.tcsys.com
divx-player.tcsys.com
facebook.tcsys.com
flv-player.tcsys.com
personals-2702.tcsys.com
player.tcsys.com
translator.tcsys.com
tubes-2702.tcsys.com
buy-viagra.ubf.org	74.220.215.210	www.ubf.org	74.220.201.220
mg-drugs.ubf.org
payday-loans.ubf.org
rx-drugs.ubf.org
drugs-1801.uhsurology.com	67.55.117.204	www.uhsurology.com	64.57.219.72
personals-1801.uhsurology.com
tubes-1801.uhsurology.com
buy-cialis.uniben.edu	74.220.215.210	www.uniben.edu	69.195.82.57
buy-viagra.uniben.edu
mg-drugs.uniben.edu
mgdrugs.uniben.edu
payday-loans.uniben.edu
payday.uniben.edu
rx-drugs.uniben.edu
rxdrugs.uniben.edu
buy-cialis.viethoc.org	67.55.117.204	www.viethoc.org	208.127.15.120
buy-cymbalta.viethoc.org
buy-levitra.viethoc.org
buy-lexapro.viethoc.org
buy-viagra.viethoc.org
divx-player-beob.viethoc.org
flv-player-beob.viethoc.org
personals-0602.viethoc.org
player-beob.viethoc.org
drugs.williamson.edu	65.254.250.103	www.williamson.edu	65.254.250.105
payday-loans.williamson.edu
viagra.williamson.edu
payday.yanceycountync.gov	67.55.33.109	www.yanceycountync.gov	66.147.242.162
tubes-1111.yanceycountync.gov	67.55.33.109	www.yanceycountync.gov	66.147.242.162

Note: These IP addresses can (and should) change. The above information was gathered 10-7-2011 13:00 UTC

Over 150 "new" entries have been created in the zone information for these organizations. Each of these new "sites" inherits whatever good reputation the parent domain may have accumulated, and is, therefore, valuable as a means of search engine optimization (SEO).

The following table shows that these hacks occurred at multiple DNS providers with a few being somewhat more "popular" than others:

Domain	DNS Provider
4kidsnus.com	dnsexit.com
abingtonurology.com
boothscorner.com
campsankanac.org
cfi.gov.ar
dollardiscount.com
iiehk.org
pattywagstaff.com
tcsys.com
uhsurology.com
viethoc.org
yanceycountync.gov
ejercito.mil.do	hostmonster.com
accessbank.com
asfiusa.com
eap.edu
elbertcounty-co.gov
haskell.edu
mvas.org
sacmetrofire.ca.gov
seabury.edu
ubf.org
uniben.edu
apptech.com	ipage.com
ellerbecreek.org
goodhope.com
hothouse.net
symspray.com
qunlimited.com	justhost.com
advancedsynthesis.com	lunariffic.com
blueagle.com
cccsaa.org
cranehighschool.org
hamwave.com
medpharmsales.com
santafeproductions.com
saturdaymarket.com
compliancemedical.com	myhostcenter.com
menalive.com	nocdirect.com
esad.org
georgetownky.gov
omill.org
fabius-ny.gov	pipedns.com
fwbl.com
onyvax.com
rivcoems.org
chesarda.org	powweb.com
golocalnet.com
hiwassee.edu
lisboniowa.com
okgolf.org
williamson.edu
nywolf.org	wiredtree.com
karen.org	yourhostingaccount.com

Down the Rabbit Hole

Finding these sites was a matter of luck and perseverance. Initially, I happened across a single, odd-sounding site name while looking for organizations that had been compromised by the bad guys for SEO purposes. Using tools that attempt to list all of the domain records pointing to a particular IP address led me to more. Google searches for sites linking to these domains led me further. Unquestionably, there are more of these types of sites out there – some not currently in use. However, because there is no good way to truly search DNS information, attempting to find these from the "outside" is difficult and frustrating.

"Round up the usual suspects..."

How did this happen? Unsurprisingly, no one I talked to about this was standing at the front of the line, ready to take the blame for these issues: Domain owners swear they used good passwords and are sure that the DNS providers were hacked, DNS providers are certain that the Domain owners used lousy passwords on their accounts... 'round and 'round we go.

My gut tells me that the truth lies somewhere in between: bad passwords combined with poor account lockout controls on something like a cPanel-type web interface probably led to successful brute force attacks on most of these... I could, however, be completely wrong. Unfortunately, I just don't have the time to chase every one of these to ground.

Don’t Let This Happen To You

Check your DNS zone file information periodically, just to make sure nothing has been added without your knowledge.
Choose passwords wisely, especially on interfaces where brute-force attacks are likely (i.e. pretty much anything accessible from the internet). Never use dictionary words. And remember: while "qwertyuiop" may not be in your dictionary, it IS in mine...
Periodically take a look at your website how Google sees it (Google search: "site:yoursite.com" – NOT www.yoursite.com, and look through the pages for anything out of the ordinary. Toss a few choice keywords in as well ("Viagra," "Cialis," "drugs," "personals," etc...). This kind of search can help you discover many different types of issues with your site.

Tom Liston
ISC Handler
Senior Security Consultant, InGuardians, Inc .
Twitter: @tliston

Tom

160 Posts

Oct 12th 2011

Automate the last tip by setting up a Google Alert to notify you immediately if Google runs across anything in it's indexing. Believe you guys previously recommended setting up something like "if Phentermine OR viagra OR cialis OR oxycontin OR levitra OR ambien OR xanax OR paxil OR porn OR ringtones OR casino site:yoursite.com"

Dean

135 Posts

The threat described is for organizations small enough to not want to be responsible for hosting their own authoritative DNS server. A monitoring solution would be to set up a local non-public slave DNS server for the zones, and then audit the zone file there periodically.

Dean
1 Posts

Regarding DNS search tools: have you tried Robtex?

It seems to list a few more domains that aren't posted here.

Dean
1 Posts

Bummer .... so, while they sort out the fingerpointing, hopefully they are fixing the issue first.

Any thoughts on how we can restrict access to these sites, short of blacklisting these domains manually in a blackhole ? DNS blocking is probably out, since it looks like the DNS servers could be hosting valid websites.

Dean
2 Posts

Perhaps one more good reason not to use wildcard certificates?

Erik van Straten

129 Posts

Perhaps this problem should discourage the use of domain names as anchors for reputations, and provide an incentive to use cryptographically secure identifiers instead. Conventional domain names are still sensible tokens for finding a site, but not for authenticating the find.

Mike O'D.

1 Posts

Our DNS hosting provider's login page is protected by captcha, may not be perfect but it definitely cuts down on password guessing.

Isif

5 Posts

Likely not a password hack. Simple and old trick. Almost criminal that it still exists anywhere.

These DNS providers were allowing users to create domains that were subdomains of other users domains. Some name server software will serve records for these subdomains if they are on the same name server even if NS records don't exist in the parent domain that delegate the subdomain.

No decent DNS provider would or does allow this.

Isif
1 Posts