Skip to content ↓ | Skip to navigation ↓

The key mechanism for the DNS hijacking attack against the Metasploit and Rapid7 websites is now believed to be the social engineering of an employee at Registrar.com by a pro-Palestine hacker group called KDMS.

Initial reports indicated that the attack had hinged upon a spoofed change request sent via fax to the registrar, but an investigation revealed that the attack more likely used social engineering to steal login credentials of a Registrar.com employee which were then used to gain access to systems and manipulate the DNS settings for the websites.

“We’re waiting to receive the report from Register.com and we don’t know exactly when we’ll get it (though obviously we’re hoping for it as soon as possible),” Rapid7 told Threatpost. “Once we have the information, we will absolutely share what we can to help educate others so they can protect themselves from the same threats.”

The attackers redirected traffic from the websites to a landing age with a politically motivated message regarding Palestinian liberation.

Given that the attackers had gained access to Registrar.com’s systems, other clients of the service could be vulnerable to similar attacks, and they are being advised to check their own DNS records for evidence of redirects.

Read More Here…