Credential Theft and Domain Name Hijacking through Phishing Sites

In early July 2023, JPCERT/CC confirmed a case of domain hijacking in which a domain used in Japan was unauthorizedly transferred to another registrar. This blog post describes the attack case.
2023 年 7 月初,JPCERT/CC 确认了一起域名劫持案件,其中在日本使用的域名被未经授权转让给另一家注册商。这篇博文介绍了攻击案例。

Attack overview 攻击概述

Figure 1 shows the attack flow. The attacker first prepared a phishing site, which pretended to be a registrar on search site advertisements.

Credential Theft and Domain Name Hijacking through Phishing Sites

Figure 1: the attack flow
图 1:攻击流程

An attacker can steal account information and password (hereafter referred to as "credential") when a domain administrator accesses a phishing site and enters the credential. After the victim enters their credential on this phishing site, they are redirected to the legitimate site logged in. Therefore, it is difficult for them to recognize the phishing.

The attacker then used the stolen credential to log into the registrar’s legitimate site and proceeded to transfer the domain to another registrar. Although the domain administrator had used the domain transfer lock feature for the targeted domain, the attacker unlocked it. In the process of unlocking, this registrar sends an email to user's contact email address for confirmation and approval. However, the attacker also changed the contact email address.

Measures that can be taken in advance

The following actions are recommended to prevent the attacks described above:

  • Do not assume that the link displayed on the search site is correct. Instead, access the site from a confirmed official application or a URL that you have bookmarked in your web browser
    不要假定搜索网站上显示的链接是正确的。相反,请从已确认的官方应用程序或您在 Web 浏览器中添加书签的 URL 访问该站点
  • Use the security features provided by the site (e.g., two-factor authentication)
  • Avoid simple passwords or using the same password repeatedly
References 引用

[1] Council of Anti-Phishing Japan: What is Phishing?
[1] 日本反网络钓鱼委员会:什么是网络钓鱼? (Japanese)

[2] Council of Anti-Phishing Japan: Anti-phishing Fraud Guidelines for Users (PDF)
[2] 日本反网络钓鱼委员会:用户反网络钓鱼欺诈指南 (PDF) (Japanese)

[3] JPCERT/CC: STOP! Reusing Password!
[3] JPCERT/CC:停下!重复使用密码! (Japanese)

It is also recommended to regularly check the information by the service provider you are using, as they may offer new security features on their site responding to the changes of attackers’ TTP.
还建议定期检查您正在使用的服务提供商的信息,因为他们可能会在其网站上提供新的安全功能,以应对攻击者 TTP 的变化。

Measures that can be taken after domain name hijacking is done

When you become a victim of domain name hijacking and notice that your domain is transferred without your authorization, contact the registrar you use to manage the domain.

References 引用

[1] ICANN: Registrar Transfer Dispute Resolution Policy
[1] ICANN:注册服务商转让争议解决政策

[2] JPCERT/CC: Publishing a technical document summarizing DNS abuse techniques
[2] JPCERT/CC:发布总结 DNS 滥用技术的技术文档 (Japanese)

In Closing 结束语

Unauthorized transfer of a domain has a significant impact on the site operating under the domain as well as the users browsing the site. In addition, depending on the situation, it may take some time to get the domain name back, and in the worst case, it may never be returned. Therefore, for the services you are currently using, please check the security measures of your account to prevent such attack in advance.

Tetsuya Mizuno

(Translated by Takumi Nakano)
(翻译:Takumi Nakano)


原文始发于水野 哲也 (Tetsuya Mizuno):Credential Theft and Domain Name Hijacking through Phishing Sites

版权声明:admin 发表于 2023年11月11日 下午2:53。
转载请注明:Credential Theft and Domain Name Hijacking through Phishing Sites | CTF导航