DNS Hijacking With Just One Mail

ISP, Security 18 comments

HijackedThis is not new but it still happens in 2014… Hijacking a website with just a small e-mail. Here are the facts. For a while, I’m hosting a friend’s website. His website is quite old and it already moved from servers to servers depending on my deployed infrastructure. A few weeks ago, I notified my friend that a new change should occur asap: The website will be moved (again) to another IP address. Since the last server change, the domain name also moved and is now hosted by an ISP. My friend trusted me and suggested to contact directly the ISP. In this case, the ISP was the registrar and hosting the zone on its DNS servers at the same time! I followed the procedure and contacted the registrar as mentionned on dns.be:

DNS Technical Contacts

I took a deep breath and sent an e-mail to <dnsmaster@belgacom.be> explaining the situation:

From: <me>
To: <dnsmaster@belgacom.be>
Cc: <my-friend>
Subject: Change request xxx.be

Dear DnsMaster,
A friend of mine is hosting his website on my server (xxx.be). I would like to move the
website to a new server. This change implies a new IP address for this host:

 IN A x.x.x.x
 IN AAAA x:x:x:x:x:x

Could you please implement those changes? If extra controls are required, you can reach
me on +32 xxx xx xx xx.

Best Regards,
Xavier

I was ready to fight and prove them that my request was legitimate but it happened otherwise. I received a nice auto-reply with some classic commercial content (read: “You are very important to us!“) and a ticket number. Step one completed! I expected to have, at least, another e-mail asking me for more details or a phone call (I gave my mobile number especially for this purpose) but… nothing! This is the timeline of events:

  • 10:50 : Original mail sent (see above)
  • 10:55 : Auto-reply with my ticket number
  • 11:35 : Changes done, ticket closed
  • 11:45 : Testing from a public DNS server (to avoid caching issues) – new IP alive!

In less than one hour, the domain name zone was updated! Scrary! In this case, it was good news for me because I was able to complete the website migration much quicker than expected. But from a security point of view, we are facing some issues:

  • I’m not listed as contact or owner in the domain name administrative information
  • I’m never in contact with the <dnsmaster>, they don’t know me
  • The email sent was a piece of cake to write by a (novice) social-engineering guy
  • No contact was taken with me to confirm the change (and even, as an attacker, I would reply: “Sure, do it!“)

Why spend time to pwn servers, play MitM attacks or poison DNS caches if only one e-mail is good enough to hijack a website?

18 comments

  1. I feel as amazed as Kristof.
    It was quickly and as exactly as you asked.
    That is stunning, so unlike BGC.
    Always be very careful if you ask BGC to do something.
    Normally you won’t know what they have done, who has done it, or when it was done.
    And you will never get another response than the automatic mail.

  2. Pingback: CircleID: DNS Security Should Be One Of Your Priorities (including DNSSEC) | Deploy360 Programme

  3. I’m just impressed that you managed to get an ISP helpdesk to do anything at all. Especially that quickly. They also did exactly what you asked.

    Franky, I find this to be an unlikely story!

  4. A few months ago they accepted requests only if they contained a ‘valid’ from (address from the domain name). It was of course possible to forge a fake address but it was a little bit more secure. However one month later they suppress this condition.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.