In early July 2023, JPCERT/CC confirmed a case of domain hijacking in which a domain used in Japan was unauthorizedly transferred to another registrar. This blog post describes the attack case.
2023 年 7 月初,JPCERT/CC 确认了一起域名劫持案件,其中在日本使用的域名被未经授权转让给另一家注册商。这篇博文介绍了攻击案例。
Attack overview 攻击概述
Figure 1 shows the attack flow. The attacker first prepared a phishing site, which pretended to be a registrar on search site advertisements.
攻击流程如图1所示。攻击者首先准备了一个网络钓鱼网站,该网站在搜索网站广告上伪装成注册商。
Figure 1: the attack flow
图 1:攻击流程
An attacker can steal account information and password (hereafter referred to as “credential”) when a domain administrator accesses a phishing site and enters the credential. After the victim enters their credential on this phishing site, they are redirected to the legitimate site logged in. Therefore, it is difficult for them to recognize the phishing.
当域管理员访问网络钓鱼站点并输入凭据时,攻击者可以窃取帐户信息和密码(以下称为“凭据”)。受害者在此网络钓鱼站点上输入凭据后,他们将被重定向到登录的合法站点。因此,他们很难识别网络钓鱼。
The attacker then used the stolen credential to log into the registrar’s legitimate site and proceeded to transfer the domain to another registrar. Although the domain administrator had used the domain transfer lock feature for the targeted domain, the attacker unlocked it. In the process of unlocking, this registrar sends an email to user’s contact email address for confirmation and approval. However, the attacker also changed the contact email address.
然后,攻击者使用被盗的凭据登录注册商的合法站点,并继续将域名转移到另一个注册商。尽管域管理员已对目标域使用了域转移锁定功能,但攻击者将其解锁。在解锁过程中,该注册商会向用户的联系电子邮件地址发送一封电子邮件以进行确认和批准。但是,攻击者还更改了联系人电子邮件地址。
Measures that can be taken in advance
可以提前采取的措施
The following actions are recommended to prevent the attacks described above:
建议采取以下措施来防止上述攻击:
- Do not assume that the link displayed on the search site is correct. Instead, access the site from a confirmed official application or a URL that you have bookmarked in your web browser
不要假定搜索网站上显示的链接是正确的。相反,请从已确认的官方应用程序或您在 Web 浏览器中添加书签的 URL 访问该站点 - Use the security features provided by the site (e.g., two-factor authentication)
使用网站提供的安全功能(例如,双因素身份验证) - Avoid simple passwords or using the same password repeatedly
避免使用简单的密码或重复使用相同的密码
References 引用
[1] Council of Anti-Phishing Japan: What is Phishing?
[1] 日本反网络钓鱼委员会:什么是网络钓鱼?
https://www.antiphishing.jp/consumer/abt_phishing.html (Japanese)
[2] Council of Anti-Phishing Japan: Anti-phishing Fraud Guidelines for Users (PDF)
[2] 日本反网络钓鱼委员会:用户反网络钓鱼欺诈指南 (PDF)
https://www.antiphishing.jp/report/consumer_antiphishing_guideline_2023.pdf (Japanese)
[3] JPCERT/CC: STOP! Reusing Password!
[3] JPCERT/CC:停下!重复使用密码!
https://www.jpcert.or.jp/pr/stop-password.html (Japanese)
It is also recommended to regularly check the information by the service provider you are using, as they may offer new security features on their site responding to the changes of attackers’ TTP.
还建议定期检查您正在使用的服务提供商的信息,因为他们可能会在其网站上提供新的安全功能,以应对攻击者 TTP 的变化。
Measures that can be taken after domain name hijacking is done
域名劫持完成后可以采取的措施
When you become a victim of domain name hijacking and notice that your domain is transferred without your authorization, contact the registrar you use to manage the domain.
当您成为域名劫持的受害者并注意到您的域名在未经您授权的情况下被转移时,请联系您用于管理域名的注册商。
References 引用
[1] ICANN: Registrar Transfer Dispute Resolution Policy
[1] ICANN:注册服务商转让争议解决政策
https://www.icann.org/resources/pages/tdrp-2016-06-01-en
[2] JPCERT/CC: Publishing a technical document summarizing DNS abuse techniques
[2] JPCERT/CC:发布总结 DNS 滥用技术的技术文档
https://blogs.jpcert.or.jp/ja/2023/07/DNS-Abuse-Techniques-Matrix.html (Japanese)
In Closing 结束语
Unauthorized transfer of a domain has a significant impact on the site operating under the domain as well as the users browsing the site. In addition, depending on the situation, it may take some time to get the domain name back, and in the worst case, it may never be returned. Therefore, for the services you are currently using, please check the security measures of your account to prevent such attack in advance.
未经授权的域名转让会对在该域名下运营的网站以及浏览该网站的用户产生重大影响。此外,根据情况,取回域名可能需要一些时间,在最坏的情况下,它可能永远不会被退回。因此,对于您当前使用的服务,请提前检查您帐户的安全措施,以防止此类攻击。
Tetsuya Mizuno
(Translated by Takumi Nakano)
(翻译:Takumi Nakano)
原文始发于水野 哲也 (Tetsuya Mizuno):Credential Theft and Domain Name Hijacking through Phishing Sites
转载请注明:Credential Theft and Domain Name Hijacking through Phishing Sites | CTF导航
相关文章
