There has been some speculation that attackers might have exploited a recently disclosed vulnerability in the WHMCS billing and support software to pull off the attack. This software is particularly popular with Web hosting companies.
LeaseWeb itself doesn't use WHMCS, but the company doesn't know if the software is used by its domain registrar, de Joode said.
"We took immediate measures to prevent a repeat of this incident in the short term," he said. "We will also update our security policies for domains based on the results of the current investigation."
Defacing websites by hijacking the DNS records for their domain names in order to redirect them to rogue Web servers is a popular technique among hackers. Attackers usually gain access the domain administrator panel by phishing the log-in credentials from an authorized user or by tricking domain registrar employees to reset the password for the targeted account.
In August, a hacker group called the Syrian Electronic Army (SEA) used spear phishing to temporarily hijack the nytimes.com, sharethis.com, huffingtonpost.co.uk, twitter.co.uk and twimg.com domain names. SEA publicly supports Syrian President Bashar al-Assad and his government and most of their attacks are a political statement.
LeaseWeb doesn't currently know why it was targeted by Team KDMS, de Joode said.
DNS hijacking can have much more serious consequences than a websites being defaced. Attackers could use this technique to direct users to a phishing version of the website in order to steal their credentials or they could use exploit kits to infect visitors to the rogue Web server with malware.
To prevent rogue modification of DNS records domain owners can ask their registrars to put registry locks in place for their domains. This lock is placed at the registry level — with those companies that administer the .com, .net, .org, and other domain extensions — and makes the modification of DNS records, even when a domain registrar is compromised, much harder.
Sign up for CIO Asia eNewsletters.