Microsoft DNS Hijacked by Spammers

Tuesday The Register reported that internet addresses belonging to Microsoft were used to route traffic to 1,025 unique, fraudulent websites.

Late last week Ronald Guilmette, the managing member of network security software vendor Infinite Monkeys, told The Register that he discovered two hacked Microsoft servers handling the DNS of fraudulent websites--including seizemed.com, yourrulers.com, and crashcoursecomputing.com--since "at least" September 22. The hack was reportedly done by a notorious group of Russian criminals who have hijacked other machines across the globe.

The Register said that it independently verified Guilmette's findings by consulting with other security experts who specialize in DNS and taking down botnets and criminal websites. "By examining results used with an internet lookup tool known as Dig, short for the Domain Information Groper, [other security experts] were able to determine that 131.107.202.197 and 131.107.202.198--which are both registered to Microsoft--are housing dozens of DNS servers that help convert the pharmacy domain names into the numerical IP addresses that host the sites," said The Register in its report.

According to various reports, the fraudulent websites were pushing Viagra, Human Growth Hormone, and other pharmaceuticals though the Canadian Health&Care Mall, a reportedly fake online pharmacy that doesn't ship genuine products. The group behind the fake pharmacy also allegedly engages in child pornography, identity theft, and rampant spamming.

After The Register's report went live on Tuesday, Microsoft launched an investigation and said the problem was caused by human error. "We have completed our investigation and found that two misconfigured network hardware devices in a testing lab were compromised due to human error," Microsoft said Wednesday in a statement. "Those devices have been removed."

Microsoft added that the hacked network devices run a Linux kernel. "We are taking steps to better ensure that testing lab hardware devices that are Internet accessible are configured with proper security controls," Microsoft said.

In a separate report, security blogger Brian Krebs said that one of the compromised Microsoft computers was also used to launch a denial of service attack on his website. Krebs said that he recognized the Microsoft IP address while reading the original report filed by The Register. The attack began twenty-four hours after he published a criminal online service that sold stolen credit card numbers for less than $2 each.

About the author
This thread is closed for comments
26 comments
    Top Comments
  • Too bad it wasn't actually MS. I've been waiting for Windows branded Viagra for sometime now.
    19
  • Other Comments
  • Too bad it wasn't actually MS. I've been waiting for Windows branded Viagra for sometime now.
    19
  • Quote:
    The attack began twenty-four hours after he published a criminal online service that sold stolen credit card numbers for less than $2 each.

    Well serves him right for selling our credit card numbers :)
    -1
  • Quote:
    Microsoft added that the hacked network devices run a Linux kernel. "We are taking steps to better ensure that testing lab hardware devices that are Internet accessible are configured with proper security controls," Microsoft said.


    So... MS engineers/technicians can't configure a Linux machine? That explains a few things security wise.

    Cheers!
    2