Hosting provider LeaseWeb became the latest high-profile company to have its domain name taken over by attackers, highlighting that DNS (Domain Name System) hijacking is a significant threat, even to technically adept businesses.
For a short time on Saturday, leaseweb.com, the company's main website, was redirected to an IP address that wasn't under its control. This was the result of a so-called DNS hijacking attack in which attackers managed to change the authorized name servers for the company's domain name.
Due to the way DNS records get propagated through Internet servers and the fact that some DNS resolvers cache the records for a longer time than others, not all users were affected by the incident.
However, those users who were impacted and attempted to visit the company's website were redirected to a Web page crediting a hacker group called KDMS Team for the attack.
The rogue page contained messages from the hackers, including "what are you is a hosting company with no security" and "we owned all of your hosted sites."
"Our security investigation so far shows that no domains other than leaseweb.com were accessed and changed," LeaseWeb said in a blog post Sunday after resolving the issue. "No internal systems were compromised. One of the security measures we have in place is to store customer data separately from any publicly accessible servers; we have no indication that customer data was compromised as a result of this DNS hijack."
LeaseWeb is a large provider of public cloud, private cloud, dedicated hosting, colocation and content delivery services with subsidiaries in the U.S., Germany and the Netherlands. It has over 15,000 customers that range from small businesses to large enterprises and claims to manage almost 4 percent of global IP traffic.
LeaseWeb is still investigating how attackers managed to change the DNS records for its domain name, but it appears that they gained access to the domain administrator password at the domain registrar from which LeaseWeb bought its domain.
Spear phishing might have been a part of the attack, but at this point the investigation is ongoing so there's no definitive answer, Alex de Joode, senior legal counsel of LeaseWeb, said Monday via email.
Because of this attack, emails sent to @leaseweb.com addresses while the rogue DNS records were in place did not reach the company's email server. The rogue Web server where the domain was pointed by the attackers did not have email service configured, so no email messages were compromised, de Joode said.
There's also no indication the rogue Web page served malware or was used to steal credentials, he said.
Sign up for CIO Asia eNewsletters.