Metasploit’s DNS Registrar Hacked Via Fax

Posted by on Oct 17, 2013


Image from http://www.theguardian.com/

Image from http://www.theguardian.com/

Metasploit is a service used by computer and network security professionals worldwide to perform penetration testing of corporate systems and determine if the vulnerabilities are fixed. Recently, Metasploit was attacked by a group of pro-Palestinian hackers, who managed to hijack its website by simply sending a fax. The hackers are a group of four people, known as the KDMS Team. They came into prominence a few weeks back when they hijacked the websites of popular messaging service Whatsapp and the antivirus company AVG.

This time the hackers were able to trick the DNS registrar of Metasploit, Register.com by sending a fax, requesting to change the IP addresses associated with the URLs of Rapid7 and Metasploit. As a result, people who visited the homepage of these sites were redirected to a politically charged message. The hack redirected the domains to a page, which contained a message from KDMS Team, reading in part:

Image from http://www.theguardian.com/

Image from http://www.theguardian.com/

This kind of attack is called a DNS redirect “which involves an attacker changing the records which tell web browsers what server lies behind any given web address”. According to HD Moore, chief research officer at security company Rapid7, the website was “hijacked through a spoofed change request FAXED to Register.com. Hacking like its 1964.”

Image from http://www.ibtimes.co.uk/

Image from http://www.ibtimes.co.uk/

Immediately after the attack, Rapid7 asked the registrar to block all changes to its domain, unless it gets authorization by phone. They are also considering top-level domain (TLD) to prevent unauthorized access to their DNS registrars. “These locks introduce hurdles for normal changes to our infrastructure and so we were still in the planning stages. In hindsight, we should have taken action sooner,” said Moore.

The attackers did not compromise the servers running these websites and the redirect was fixed within an hour. But this attack had the potential of causing serious damage by redirecting the users to a spoofed site asking for personal details like SSN and credit card numbers.

Similar kinds of attacks were carried out on the websites of Whatsapp, AVG and Avira by the KDMS group. They were able to perform a DNS redirect by sending a fake password reset request. But these firms were registered with a different registrar – Network Solutions. Besides Rapid7 and Metasploit, two other companies, Bitdefender and ESET registered with Register.com also fell prey to KDMS team’s DNS redirect attack.

These are some of the steps that businesses can take to protect themselves from similar kind of attacks:

  • Train employees to recognize phishing attacks: One of the things that led to this attack is the response to the fake fax request that came from the attacker, and changing the IP addresses of Metasploit and Rapid7. The employees need to be trained in order to differentiate between a fake and legitimate request. If they find any request suspicious they should call up the requestor directly and inquire about it.
  • Implement registry locks for better security: As Moore pointed out, all these DNS registrars who became victims of the attack lacked registry locks. “A registry lock is a status code applied to a web domain name that is designed to prevent incidental or unauthorized changes – including modifications, transfers or deletion of domain names and alterations to domain contact details – without first authenticating to the top-level domain operator.”
  • Monitor DNS Settings: Lastly, businesses should monitor DNS settings regularly to check for changes to registration information and DNS resolution to IP addresses in their business-critical domains. This will help the businesses to track any kind of security breach quickly and take suitable measures immediately to remediate it.


SpiderOak Blue for Enterprises:

Finding a truly secure third party cloud service can be a challenge as many services on the market have security gaps that leave private data vulnerable to third party attacks. One cloud storage and sync service that sets itself apart is SpiderOak Blue. This service provides enterprises with a fully private cloud service featuring all of the benefits of cloud storage along with 100% data privacy. And for the average web user, SpiderOak offers the same protections with lower costs and smaller storage space. You can signup for this product now.

SpiderOak Blue protects sensitive enterprise data through two-factor password authentication and 256-bit AES encryption so that files and passwords stay private as unreadable blocks of data. Two-factor authentication is just like the process used by some financial services that require a PIN as an extra precaution along with a password in order to log in. With SpiderOak, enterprises that choose to use two-factor authentication must submit a private code through text along with their unique encrypted password. Authorized accounts can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices (SpiderOak never hosts any plaintext data). SpiderOak Blue’s cross-platform private cloud services are available for enterprises on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices.



Leave a Reply