It happened just a couple of days ago, it doesnt seem to have been a targeted attack though more like mass spammers/scammers leveraging on this flaw (as expected) to divert people to scam sites.
It happened on Tuesday morning, when Moore’s company, BreakingPoint, had some of its Internet traffic redirected to a fake Google page that was being run by a scammer. According to Moore, the hacker was able to do this by launching what’s known as a cache poisoning attack on a DNS server on AT&T’s network that was serving the Austin, Texas, area. One of BreakingPoint’s servers was forwarding DNS (Domain Name System) traffic to the AT&T server, so when it was compromised, so was HD Moore’s company.
When Moore tried to visit Google.com, he was actually redirected to a fake page that served up a Google page in one HTML frame along with three other pages designed to automatically click on advertisements.
It seems more of a problem with the ISP than BreakingPoint itself, but it still shows, if you rely on your ISPs DNS servers you don’t know what kind of fake content is getting served up to you.
Better safe than sorry right?
The flaw has to do with the way that DNS programs share information over the Internet. In a cache poisoning attack, the attacker tricks a DNS server into associating malicious IP addresses with legitimate domains, such as Google.com. Security experts say that this type of flaw could lead to very successful phishing attacks against Web surfers whose ISPs have not patched their servers.
Because of the nature of the AT&T hack, Moore doesn’t believe that he was targeted by the hackers. Even BreakingPoint employees didn’t realize that their internal DNS server had been configured to use the AT&T machine. Instead, he thinks that the hackers were simply trying to make a quick buck.
AT&T representatives were not immediately available to comment on the incident.
Moore believes that this type of attack may be going on at other ISPs as well.
I wonder if they managed to con anyone? And I wonder if AT&T has fixed this problem yet? It’s surprising that such a large ISP is still susceptible to this flaw after the amount of publicity the DNS bug has gotten.
Just be on the watch out!
Source: InfoWorld (Thanks Navin)
- Rowhammer – DDR3 Exploit – What You Need To Know
- Santoku Linux – Mobile Forensics, Malware Analysis, and App Security Testing LiveCD
- Google Expands Pwnium Year Round With Infinite Bounty
- Logic Bomb Backfires on Hacker Employee
- DNS DDoS Attack Takes Down China Internet
- Rackspace Recovers From Major DNS DDoS
Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 229,567 views
- AJAX: Is your application secure enough? - 119,408 views
- eEye Launches 0-Day Exploit Tracker - 85,198 views