• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

SonicWall warns customers to reset credentials after MySonicWall backups were exposed

 | 

CVE-2025-10585 is the sixth actively exploited Chrome zero-day patched by Google in 2025

 | 

Jaguar Land Rover will extend its production halt into a third week following a cyberattack

 | 

China-linked APT41 targets government, think tanks, and academics tied to US-China trade and policy

 | 

Microsoft and Cloudflare teamed up to dismantle the RaccoonO365 phishing service

 | 

DoJ resentenced former BreachForums admin to three years in prison

 | 

Apple backports fix for actively exploited CVE-2025-43300

 | 

New supply chain attack hits npm registry, compromising 40+ packages

 | 

Cybercrime group accessed Google Law Enforcement Request System (LERS)

 | 

China-linked Mustang Panda deploys advanced SnakeDisk USB worm

 | 

Insider breach at FinWise Bank exposes data of 689,000 AFF customers

 | 

Hackers steal millions of Gucci, Balenciaga, and Alexander McQueen customer records

 | 

Fairmont Federal Credit Union 2023 data breach impacted 187K people

 | 

UK ICO finds students behind majority of school data breaches

 | 

INC ransom group claimed the breach of Panama’s Ministry of Economy and Finance

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 62

 | 

Security Affairs newsletter Round 541 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

ShinyHunters Attack National Credit Information Center of Vietnam

 | 

FBI warns of Salesforce attacks by UNC6040 and UNC6395 groups

 | 

HybridPetya ransomware bypasses UEFI Secure Boot echoing Petya/NotPetya

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Hacking
  • Domain Hijacking – An Invisible and Destructive Threat We Should Watch For

Domain Hijacking – An Invisible and Destructive Threat We Should Watch For

Pierluigi Paganini October 26, 2016

The Morphus Labs warns about another major threat, the domain hijacking incident, a threat that can completely subvert your information security strategy.

The Morphus Labs warns this week about another major threat. Renato Marinho and Victor Pasknel treated a domain hijacking incident, a threat that can completely subvert your information security strategy. They give details in this article how the incident was handled and how we can prevent similar scenarios.

  1. Introduction

It’s Saturday morning and you, the CSO of a huge company, start to receive messages from various sources, including press, informing that all of your organization Internet addresses are getting visitors to fake websites offering malicious content in form of fake security modules and/or updates.

What appeared to be a website defacement attack, turned out to be something much worse. In examining more closely, you realize that cybercriminals did, in fact, the kidnapping of the entire organization domain and directed all addresses to fake websites aiming to steal information from your customers and spreading malicious code. The worst thing is that there was no action that depended exclusively on you to solve the problem immediately.

In this article, we describe the incident response to the scenario described above and how this threat, being capable to subvert your entire strategy and security investment, can be mitigated with very simple actions.

  1. Domain Name System (DNS) basics

To better understanding what happened, it’s important to understand some basic DNS concepts. If you are familiar with this subject, just jump to section 3.

DNS stands for Domain Name System and works as a foundation for the Internet . All addresses names we use daily to reach Websites and other Internet services have to be translated to IP (Internet Protocol); the translation or resolution process between an internet address name and IP address is the main role of  DNS Servers.

DNS Servers work as a hierarchy of sorts, where the resolution requests are passed through it to the right server that is in charge of resolving the names for a certain domain, is reached. The root of this hierarchy, that is the invisible domain dot (“.”) in the end of any Internet address, is controlled by a group of DNS Servers distributed in different places around the world. Those root DNS Servers have to know the IP address of the DNS Servers that are in charge of all Top Level Domains (TLD), like the “.com”. The “.com” DNS servers in turn, have to know the IP address of the DNS Servers that are in charge of your company’s domain name, like “yourdomain.com” and so on.

For example, when someone asks for “www.yourdomain.com.”, the request reaches the root servers (“.”) that in turn, reaches the “.com” servers, that in turn, reach your company’s DNS servers, that finally resolves the address “www” and return the correct IP address.

The TLDs are controlled and managed by registry operators, also called Network Information Center (NIC). The registry operators manage the registration of domain names within the domains for which they are responsible. So, the “.com” registry operator is the organization that will hold the configuration of the DNS Servers IP addresses that are in charge of resolving the IP address of a domain like “yourcompany.com”.

Domain Hijacking

  1. Domain Hijacking

For you to register or manage a domain in any registry operator, you have to previously create an account (basically, username and password) on their web portal. This account will be used to manage the IP addresses of the DNS Servers that will point to the IP addresses of your website or e-mail servers.

Note that the access credentials to the portal operator are extremely sensitive information. Someone malicious in possession of such information would be able to change any configuration of your domains, including IP addresses of the DNS servers. In short, could hijack the Internet Domain of your company and target websites and emails to any address he wanted.

In the incident we treated at Morphus Labs, that’s exactly what happened. The bad actors  stole the registry operator’s credentials and changed the primary and secondary DNS servers configuration pointing them to the criminals’ ones. After that, all the company’s customers were directed to a fake company website to download malicious content they were suggested by the fake content. We can imagine what the criminals’ strategy was had they had success spreading their malware.

Needless to say, the crooks changed the password after gaining access to the portal. In other words, they hijacked the domain and made the recovery dependable of the registry operator. “Manual” account recover is usually not easy nor fast.

  1. The Incident Response

Unlike the majority of cyber incidents, you have almost nothing to do in your infrastructure itself to revert the situation, like recovering backup or configurations. Like what happened in this incident, all servers were intact.

Read the full article: https://www.linkedin.com/pulse/domain-hijacking-invisible-destructive-threat-we-should-marinho

And works as the foundation of the internet “ou” and works as a foundation for the internet.

Please, revise if the meaning was kept.

Bad actors? Is this expression clear to the reader?

[adrotate banner=”9″]

About the Author:

Renato Marinho

Edited by Pierluigi Paganini

(Security Affairs – Domain Hijacking, cybercrime)


facebook linkedin twitter

you might also like

Pierluigi Paganini September 18, 2025
SonicWall warns customers to reset credentials after MySonicWall backups were exposed
Read more
Pierluigi Paganini September 18, 2025
Jaguar Land Rover will extend its production halt into a third week following a cyberattack
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    SonicWall warns customers to reset credentials after MySonicWall backups were exposed

    Data Breach / September 18, 2025

    CVE-2025-10585 is the sixth actively exploited Chrome zero-day patched by Google in 2025

    Uncategorized / September 18, 2025

    Jaguar Land Rover will extend its production halt into a third week following a cyberattack

    Security / September 18, 2025

    China-linked APT41 targets government, think tanks, and academics tied to US-China trade and policy

    APT / September 17, 2025

    Microsoft and Cloudflare teamed up to dismantle the RaccoonO365 phishing service

    Cyber Crime / September 17, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT