Hacked Go Daddy Sites Infecting Users With Ransomware
Users are getting infected with ransomware thanks to criminals managing to hack the DNS records of Go Daddy hosted websites.
That’s not welcome news for the world’s largest domain name registrar, especially so soon after the recent denial of service attack.
To understand how these attacks work, a short primer on DNS is required.
In a nutshell, DNS provides a system where computers on a network (the internet) can be referenced by a user-friendly name. These names are known as hostnames, and DNS translates them into what is known as an IP address.
A key feature of DNS is that changes can be made and applied very rapidly, allowing resources to be moved between machines/networks/locations without affecting end users. The hostnames remain constant, and DNS handles any changes in the IP address as the resources move.
In this current spate of attacks, criminals are exploiting DNS by hacking the DNS records of sites, adding one or more additional subdomains with corresponding DNS entries (A records) referencing malicious IP addresses. The legitimate hostname resolves to the legitimate IP address, but the added sub-domains resolve to rogue servers.
This enables the attackers to use legitimate-looking URLs in their attacks, which can help to evade security filtering and trick users into thinking the content must be safe.