MarkMonitor, a software company that protects commercial brands against online fabrication, fraud, piracy, and cybersquatting, and also develops reports on the occurrence of product exploitation on the web, had recently been exposed to domain hijacking with about 60,000 of their parked domains.
These parked domains of MarkMonitor were reported to be steering towards some pre-planned Amazon S3 bucket addresses. It suggests that there has been a vulnerability in these existing domains’ takeover.
Over 800 root domains were taken over by researchers
A security engineer and cyber bug researcher have recently seen an automation script flagged with hundreds of domains owned by several groups to be exposed and vulnerable to domain hijacking. Some other researchers have gathered to track the source of the said vulnerability to conclude that all these domains were pointing to MarkMonitor.
A domain takeover allows unauthorized personnel to serve the subject of any domain even that they have no authority or ownership to it.
If a certain domain name has a CNAME or canonical name DNS entry that directs to an inactive content host, the domain takeover can occur. This usually transpires when a particular site has never been published or its virtual host was removed from the hosting provider. However, the DNS records of the domain are consistently being pointed to its original host.
A 404 or “page not found” error message page will typically pop up whenever scenarios happen, such as when someone tries to enter the domain. It shows that a domain takeover weakness could occur. From this point, an attacker can take advantage of the domain’s weakness by taking it over so that they can put their own contents to that site where the dangling DNS of the domain is directed to.
As an example, if a domain shows a 404-error page that technically directs to a nonexistent Amazon S3, possibly anyone can claim that page. If someone else has taken over a hanging domain before the original owner acts upon it, then the actor can claim the use of that entire domain and upload anything to it.
And that is what transpired when several researchers have successfully taken over more than 800 root domains.
The researchers who have been working on this issue have reached out to MarkMonitor. However, the latter did not send a message back. Nonetheless, they have eventually noticed that these domains, which show the 404-error page started to show a prompt message on its landing page stating that it is protected and registered under MarkMonitor.
Even though this action could be good news, the researchers worry about the 62,000 parked domains that could have been already hijacked before and used for some phishing scams.
MarkMonitor’s parent company, Clarivate, has sent a statement to the researchers explaining that they initially planned to move their parked pages to the cloud. Their DDoS vendor had momentarily and unexpectedly sent traffic towards some of them MarkMonitor’s parking page service domains. Nonetheless, they claimed that there were no impacted live domains or DNS coming from the issue. They ensure to protect any domains entrusted to them, even those considered as parked domains, and that they follow their best security protocols.
As MarkMonitor updated, the issue’s remediation was done within an hour, including complete detection and investigation.
The researchers have advised all companies to do extra actions in protecting themselves against unwanted parked domain takeovers. They also added that not all parts of the issue should be pointed towards MarkMonitor only and AWS for not being strict with maintaining the S3 buckets.