Microsoft DNS Hijacked by Spammers
Two Microsoft addresses were used to push pills for a fake online pharmacy.
Tuesday The Register reported that internet addresses belonging to Microsoft were used to route traffic to 1,025 unique, fraudulent websites.
Late last week Ronald Guilmette, the managing member of network security software vendor Infinite Monkeys, told The Register that he discovered two hacked Microsoft servers handling the DNS of fraudulent websites--including seizemed.com, yourrulers.com, and crashcoursecomputing.com--since "at least" September 22. The hack was reportedly done by a notorious group of Russian criminals who have hijacked other machines across the globe.
The Register said that it independently verified Guilmette's findings by consulting with other security experts who specialize in DNS and taking down botnets and criminal websites. "By examining results used with an internet lookup tool known as Dig, short for the Domain Information Groper, [other security experts] were able to determine that 220.127.116.11 and 18.104.22.168--which are both registered to Microsoft--are housing dozens of DNS servers that help convert the pharmacy domain names into the numerical IP addresses that host the sites," said The Register in its report.
According to various reports, the fraudulent websites were pushing Viagra, Human Growth Hormone, and other pharmaceuticals though the Canadian Health&Care Mall, a reportedly fake online pharmacy that doesn't ship genuine products. The group behind the fake pharmacy also allegedly engages in child pornography, identity theft, and rampant spamming.
After The Register's report went live on Tuesday, Microsoft launched an investigation and said the problem was caused by human error. "We have completed our investigation and found that two misconfigured network hardware devices in a testing lab were compromised due to human error," Microsoft said Wednesday in a statement. "Those devices have been removed."
Microsoft added that the hacked network devices run a Linux kernel. "We are taking steps to better ensure that testing lab hardware devices that are Internet accessible are configured with proper security controls," Microsoft said.
In a separate report, security blogger Brian Krebs said that one of the compromised Microsoft computers was also used to launch a denial of service attack on his website. Krebs said that he recognized the Microsoft IP address while reading the original report filed by The Register. The attack began twenty-four hours after he published a criminal online service that sold stolen credit card numbers for less than $2 each.