By hacking the DNS records of websites hosted by Go Daddy, cyber criminals are able to redirect visitors to their own malicious sites and then distribute ransomware.
The Domain Name System (DNS) allows users to access websites by typing their names instead of their IPs. So, instead of typing in http:// 188.8.131.52/, a user can just go to http://google.com.
But the bad guys found a way to abuse the system by adding their own IP addresses to the DNS records of websites, according to researchers from security firm Sophos.
By adding several subdomains with corresponding DNS entries that reference malicious IPs, attackers can evade security filtering and trick users into thinking they’re on a legitimate site, Sophos researchers said.
In this particular case, the rogue servers to which users end up redirected to host an exploit kit called Cool EK, which is similar to BlackHole.
The exploit kit looks for vulnerabilities in the target system to push the ransomware.
The ransomware itself is the usual stuff, where it locks up the computer screens of victims and informs them they must pay a fine to a law enforcement agency (depending on their location) for downloading illegal content, Sophos researchers said.
The crooks use an animated GIF image that mimics the video capture from the victim’s webcam to make everything more legitimate-looking.
Unfortunately, researchers have not been able to determine if the attackers are utilizing stolen account credentials, because Go Daddy doesn’t allow webmasters to view their historical login activity, Sophos researchers said.
Website owners who suspect that their sites have been hijacked in such a manner are advised to change their passwords. Furthermore, they can check their DNS configuration to see if any suspicious entries have been added.