Malicious redirection from two well-trafficked websites hit internet visitors this week. Lenovo.com was maliciously redirected to a defaced site controlled by the well-known hacker group, Lizard Squad. Prior to this, Google’s Vietnamese site suffered a similar attack where users were redirected away from google.com.vn, seeing a message saying that the site had been hacked. It turns out that the registrar for both is the likely vector.
As we reported, Lenovo’s website was targeted by cyber-attacks just days after Lenovo apologized for pre-installing the Superfish software on some of its PCs that exposed consumers to malware attacks. The potentially unwanted program (PUP) proved to have been a very simple exploit for disabling the security of SSL communications.
Cloudmark researcher Tom Landesman noted that while the public may be quick to blame this on Lenovo and Google for losing control of their respective websites, this latest issue is in fact down to a weakness within the registrar that is tasked with securely and properly routing users to the site. He said that it appears that the registrar in question, Webnic.cc, was compromised directly by Lizard Squad and uutilized to lead users towards fake versions of Lenovo’s and Google’s sites.
“The DNS records for both were temporarily changed, so that any users navigating to these sites would be pointed at new pages jokingly referencing, among others, Brian Krebs, Ryan King and Rory Andrew Godfrey, alongside what appears to be webcam images of an individual,” he said in a blog.
Krebs, the independent security researcher, reached out to King and Godfrey for comment, who told him that the attackers used HTML command injection to land a malicious rootkit on Webnic.cc’s machines.
“This gave them direct control over the DNS records for where both sites would point users,” explained Landesman. “King and Godrey also claim that Lizard Squad was able to snag Webnic’s ‘auth codes,’ which allow someone to transfer domains, such as lenovo.com, to different registrars.”
While this attack was outside of the control of either Lenovo or Google, using Webnic may have been a poor choice by both companies, he added.
“Webnic’s popularity among hacker forums and underground bazaars may make some dubious of the registrar’s practices,” he said. And in fact, Krebs noted that it’s probably not a coincidence that over the past several years, many of the sites that use Webnic have also been hacked.