Hosting provider LeaseWeb falls victim to DNS hijacking

The company believes attackers obtained domain administrator credentials and used them to change the domain's DNS records at the registrar

Attackers modified the DNS records for

Attackers modified the DNS records for

Hosting provider LeaseWeb became the latest high-profile company to have its domain name taken over by attackers, highlighting that DNS (Domain Name System) hijacking is a significant threat, even to technically adept businesses.

For a short time on Saturday,, the company's main website, was redirected to an IP address that wasn't under its control. This was the result of a so-called DNS hijacking attack in which attackers managed to change the authorized name servers for the company's domain name.

Due to the way DNS records get propagated through Internet servers and the fact that some DNS resolvers cache the records for a longer time than others, not all users were affected by the incident.

However, those users who were impacted and attempted to visit the company's website were redirected to a Web page crediting a hacker group called KDMS Team for the attack.

The rogue page contained messages from the hackers, including "what are you is a hosting company with no security" and "we owned all of your hosted sites."

"Our security investigation so far shows that no domains other than were accessed and changed," LeaseWeb said in a blog post Sunday after resolving the issue. "No internal systems were compromised. One of the security measures we have in place is to store customer data separately from any publicly accessible servers; we have no indication that customer data was compromised as a result of this DNS hijack."

LeaseWeb is a large provider of public cloud, private cloud, dedicated hosting, colocation and content delivery services with subsidiaries in the U.S., Germany and the Netherlands. It has over 15,000 customers that range from small businesses to large enterprises and claims to manage almost 4 percent of global IP traffic.

LeaseWeb is still investigating how attackers managed to change the DNS records for its domain name, but it appears that they gained access to the domain administrator password at the domain registrar from which LeaseWeb bought its domain.

Spear phishing might have been a part of the attack, but at this point the investigation is ongoing so there's no definitive answer, Alex de Joode, senior legal counsel of LeaseWeb, said Monday via email.

Because of this attack, emails sent to addresses while the rogue DNS records were in place did not reach the company's email server. The rogue Web server where the domain was pointed by the attackers did not have email service configured, so no email messages were compromised, de Joode said.

There's also no indication the rogue Web page served malware or was used to steal credentials, he said.

There has been some speculation that attackers might have exploited a recently disclosed vulnerability in the WHMCS billing and support software to pull off the attack. This software is particularly popular with Web hosting companies.

LeaseWeb itself doesn't use WHMCS, but the company doesn't know if the software is used by its domain registrar, de Joode said.

"We took immediate measures to prevent a repeat of this incident in the short term," he said. "We will also update our security policies for domains based on the results of the current investigation."

Defacing websites by hijacking the DNS records for their domain names in order to redirect them to rogue Web servers is a popular technique among hackers. Attackers usually gain access the domain administrator panel by phishing the log-in credentials from an authorized user or by tricking domain registrar employees to reset the password for the targeted account.

In August, a hacker group called the Syrian Electronic Army (SEA) used spear phishing to temporarily hijack the,,, and domain names. SEA publicly supports Syrian President Bashar al-Assad and his government and most of their attacks are a political statement.

LeaseWeb doesn't currently know why it was targeted by Team KDMS, de Joode said.

DNS hijacking can have much more serious consequences than a websites being defaced. Attackers could use this technique to direct users to a phishing version of the website in order to steal their credentials or they could use exploit kits to infect visitors to the rogue Web server with malware.

To prevent rogue modification of DNS records domain owners can ask their registrars to put registry locks in place for their domains. This lock is placed at the registry level -- with those companies that administer the .com, .net, .org, and other domain extensions -- and makes the modification of DNS records, even when a domain registrar is compromised, much harder.

Join the CSO newsletter!

Error: Please check your email address.

Tags intrusiononline safetysecurityAccess control and authenticationLeaseWeb

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place