Hackers try to hijack Facebook, other high profile domains through domain registrar

Some registration information for facebook.com was changed, but the domain was not redirected to an unauthorized server

The Syrian Electronic Army (SEA), a group of hackers who have made a habit of hijacking high-profile domain names, managed to change the domain registration information for Facebook.com, but failed to redirect the domain to a different server.

The hackers posted screen shots Thursday on Twitter from what appeared to be the administration panel of a San Francisco-based company called MarkMonitor that manages domain names on behalf of large enterprises. The company's services focus on online brand protection and anticounterfeiting.

MarkMonitor's domain management service "ensures domains are safe with a 'hardened' portal and a full suite of premium security solutions, including advanced security measures at the registrar level -- and, security services to lock domains down to the registry level," the company's website says.

It seems that SEA targeted MarkMonitor in order to attack Facebook in particular as the company celebrated its 10th anniversary Tuesday. The group used the MarkMonitor control panel to modify the WHOIS information for facebook.com, changing the domain's contact address to Damscus, Syria.

The hackers failed to modify the domain's DNS (domain name system) settings and point the website to a server under their control, as they did in the past with the domain names of other companies. That's because facebook.com has a registry lock in place, a feature that requires additional human-based verification at the registry level for making changes to a domain name. The registry for the .com TLD zone is VeriSign.

It's not clear how SEA obtained access to the MarkMonitor control panel, but from other screen shots published by the hackers, the panel also gave them access to the domain names of Amazon, Google, Yahoo and many other well-known companies from different industries.

Domain whois queries for amazon.com, google.com and yahoo.com all show MarkMonitor as the registrar, but like facebook.com, all of those domain name have the "clientUpdateProhibited" flag which indicates the presence of a registry lock. This means SEA wouldn't have been able to hijack those domain names either.

MarkMonitor, which is owned by Thomson Reuters, did not immediately respond to an inquiry seeking more information about the attack.

Facebook declined to comment, but its domain's whois information was quickly corrected following the incident.

SEA's modus operandi involves launching spear phishing attacks against employees of the companies they target in order to obtain sensitive credentials. Spear phishing is a targeted form of phishing, which involves tricking people into divulging their login information or installing malicious software.

In August the hacker group used phishing to compromise a reseller account at an Australian domain registrar and IT services company called Melbourne IT. The hackers used the account to change the name server records for several domains including nytimes.com, sharethis.com, huffingtonpost.co.uk, twitter.co.uk and twimg.com.

Last month they managed to post rogue messages on the official Microsoft and Office blog sites after first gaining access to the email accounts of some of the company's employees.

SEA normally hijacks domain names in order to deface the websites they target and display pro-Syria messages to their visitors, as group publicly supports Syrian President Bashar al-Assad and his government. However, this kind of attack can also be used for more nefarious purposes. Instead of political messages, attackers could display a phishing page to steal user credentials or serve exploits to infect computers with malware.

Security experts repeatedly advised companies to protect their domain names by putting registry locks in place for them. VeriSign offers this service for domain names in the .com, .net, .tv, .cc and .name TLD zones.

Join the CSO newsletter!

Error: Please check your email address.

Tags amazonVeriSignonline safetyThomson ReuterssecurityMarkMonitorAccess control and authenticationFacebookintrusionYahooGoogle

More about Amazon Web ServicesFacebookGoogleMelbourne ITMicrosoftReuters AustraliaThomsonThomson ReutersVeriSign AustraliaYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts