\n
![\"Picture](\"\/wp-content\/uploads\/how-scammers-hijack-major-brands-figure-1.png\")
<\/p>\n
\n<\/p>\n
Picture 1: Search results for English Premier League soccer game<\/p>\n
If you\u2019re a fan of English Premier League soccer and didn\u2019t have an easy way to watch the Liverpool-Wolverhampton match on February 16, you may have run across the ads above. And the more observant among you may have wondered, \u201cWhy is the U.S. Center for Disease Control and Prevention (CDC) providing helpful hints on watching the match live?\u201d<\/p>\n
The short answer is that they weren\u2019t. The links above took you into a morass of malware and malicious content, including scam, scareware and fake dating sites. But why would the CDC\u2014the United States\u2019national public health agency\u2014do such a thing? Surely their remit hasn\u2019t changed that much!<\/p>\n
Of course it hasn\u2019t. But maybe the best question\u2014and the one nearest and dearest to our hearts\u2014is what this all has to do with DNS.<\/p>\n
That\u2019s what we\u2019ll look at in this article: how threat actors were able to capitalize on poor DNS hygiene by the CDC to make malicious content available under the auspices of a trusted organization.<\/p>\n
First, we need to look at how content from content delivery networks (CDNs) is accessed\u2014for example, how it\u2019s embedded in websites. Most big websites load lots of content from CDNs: It\u2019s how everything from graphics and videos to annoying ads are delivered quickly and efficiently to your browser.<\/p>\n
A common way to embed CDN content is to refer to it by a domain name in your namespace, which is an alias for a domain name in the CDN\u2019s namespace. <\/p>\n
A DNS lookup for ahbazuretestapp.cdc.gov<\/strong><\/span> may give the below results:<\/p>\n Picture 2: DNS lookup for ahbazuretestapp.cdc.gov<\/span><\/p>\n It\u2019s a good guess that the domain name ahbazuretestapp.cdc.gov<\/strong><\/span> represents a CDC Azure test app of some kind.<\/p>\n This is all well and good. Now let\u2019s say the CDC decommissions their Azure test app and stops paying Microsoft to host it (Picture 3: Decommissioning). Microsoft then removes the second CNAME record, linking the target of the old CDC alias to their CDN infrastructure. But the CDC neglects to delete the old ahbazuretestapp.cdc.gov<\/strong><\/span> CNAME record. <\/p>\n A malicious actor can now use their account with the same CDN (Picture 3: Actor steps in) to create new content that uses the same domain name as the target of the CDC\u2019s alias, ahbdotnetappwithsqldb.azurewebsites.net<\/strong><\/span>, thereby gaining control of the content that the CDC\u2019s alias points to. <\/p>\n Picture 3: Dangling CNAME Records: How actors abuse legit domains. <\/p>\n But wait\u2014this may not seem like a real security risk. After all, the CDC has presumably removed references to the Azure test app from their websites (or wherever). There\u2019s no way for an unassuming user to reach the malicious content! <\/p>\n Indeed, but there is: Google and other search engines<\/strong> can still search and index the content and add it to their results (4). And that\u2019s exactly what those Liverpool and Wolverhampton fans saw. <\/p>\n Picture 4: Malicious content with high reputation CDC domain found by search engine. <\/p>\n Why would our malicious actor bother? Because they want to capitalize on the reputation of the CDC. Results from an authoritative source like the CDC will naturally percolate to the top of a search engine\u2019s results. That means users are much more likely to access the malicious advertisements, and that much more likely to believe it\u2019s genuine. Our malicious actor is trading off the CDC\u2019s good name. <\/p>\n There are several other ways for a malicious actor to abuse his control of the CDC\u2019s domain name. They could:<\/p>\n It\u2019s natural to wonder who our malicious actor is. Clearly, it\u2019s someone\u2014or some organization\u2014clever enough to identify dangling CNAME records and to know how to exploit them.<\/p>\n We visited many URLs that used these compromised domain names. Most led to malicious content delivered through a traffic distribution system (TDS) hiding the malicious advertiser\u2019s identity. We were asked to click \u201cAllow\u201d to watch a video, but instead of showing the video, we were redirected to a scam website offering scareware or a fake dating service, or in some cases distributing malware.<\/p>\n Picture 5: Malicious content presented by the actor<\/p>\n The TDS appears to be a Russian actor that advertises on the Dark Web. Not much is known about them. Interestingly, the malicious actor also seems to use Sitting Ducks attacks, which we\u2019ve previously covered<\/strong><\/a>. <\/p>\n The best way to safeguard against having your namespace fall victim to this vulnerability is to clean up those old CNAME records.1<\/sup> Deleting unused CNAME records eliminates the possibility of someone assuming control of the targets of those CNAME records and masquerading as your organization.<\/p>\n Many of these unused CNAME records are dangling\u2014that is, they point to nonexistent domain names, at least until our malicious actor notices them and commandeers the target domain names for themselves. Fortunately, identifying dangling CNAME records is relatively straightforward:<\/p>\n Equally important is preventing your users from visiting these compromised domain names. Since the malicious actors point these domain names to TDSs, Protective DNS is an ideal mechanism for blocking them. Infoblox provides threat feeds that enable your DNS infrastructure to block the resolution of domain names through TDSs and Infoblox Threat Defense\u2122 blocks their resolution in the cloud.<\/p>\n To learn more about Infoblox Threat Intelligence Research visit https:\/\/www.infoblox.com\/threat-intel\/<\/strong><\/a>.<\/p>\n![\"Picture](\"\/wp-content\/uploads\/how-scammers-hijack-major-brands-figure-2.png\")
<\/p>\n\n
The Dangers of Poor DNS Hygiene<\/h3>\n
![\"Picture](\"\/wp-content\/uploads\/how-scammers-hijack-major-brands-figure-3-v3.png\")
<\/p>\n![\"Picture](\"\/wp-content\/uploads\/how-scammers-hijack-major-brands-figure-6-v2.png\")
<\/p>\n\n
Who Is Our Malicious Actor?<\/h3>\n
\n![\"Figure](\"\/wp-content\/uploads\/how-scammers-hijack-major-brands-figure-4a.png\")
\n![\"Figure](\"\/wp-content\/uploads\/how-scammers-hijack-major-brands-figure-4b.png\")
\n![\"Figure](\"\/wp-content\/uploads\/how-scammers-hijack-major-brands-figure-4c.png\")
\n<\/div>\nProtecting Yourself<\/h3>\n
\n