Skip to content

ICANN and IANA’s domains hijacked

By David Cawley | 3 minute read

I’ve been following the blog posts of security consultant Dancho Danchev for quite a while. I don’t usually have an opportunity to mention his posts as this is an Anti-Spam blog and for the most part I try to keep my posts on topic. For example, a few weeks ago he mentioned a Comcast DNS hijack with some speculation of what may have happened. The attackers claimed they accessed Comcast’s DNS account through a combination of Social Engineering and a technical hack. It sounds like a phone call, e-mail or fax could have been used to socially engineer some data. I’m not sure which technical hack was used but I’m hoping the registrars protect against brute force login attempts!

Following the attack, ICANN (Internet Corporation for Assigned Names and Numbers) the body responsible for managing the assignment of domain names and IP addresses, published a security advisory with recommendations on how to avoid these types of attacks. I took a very quick look at the document and found it a little strange – take the following paragraph:

The attacker can add or modify the following records in the domain zone data he controls:

• MX, to point to mail hosts under his control and use these to send spam. Using the registrant’s domain is preferable over domain the attacker could register directly because in many cases, the registrant’s domain is “trusted” by other mail systems; i.e., it has no history of originating or reputation for relaying spam and is not blocklisted or otherwise blocked from forwarding email.

Surely the most obvious attack would be to change the MX record to point to a mail host under the attackers control so that confidential inbound e-mail could be captured? I’m not entirely sure how they claim this would be used to send spam, perhaps in the case of a large e-mail provider where the outbound mailserver would use MX records to validate who can relay. However, for most companies this would not be the case.

It doesn’t even mention the TXT record which could be another attack vector. The attacker could add one of their own IP addresses to the SPF record. This would allow them to forge the domain of the hijacked company and possibly bypass filtering if the domain is on a whitelist.

Embarrassingly, shortly after releasing the advisory ICANN was victim to such an attack. Both ICANN and IANA domains had their DNS compromised yesterday so they pointed to a different site. From an e-mail security perspective these attacks are quite scary – confidential e-mail could be accessed or very real phishing e-mails could be sent.

Get your customer emails off of blacklists.