Microsoft domain name servers hijacked by crime gang

Some of Microsoft’s domain name servers (DNS) have been used to route traffic to over 1,000 fake websites belonging to a Russian crime gang, it has been revealed.

The websites sell fake pharmaceutical products, such as viagra and human growth hormones, but what makes this different from other spam attacks is that they use Microsoft domain name servers to do so.

Ronald F. Guilmette, the researcher who discovered the hijacked DNSes, said that the domains, which are 131.107.202.197 and 131.107.202.198, are registered to Microsoft and have been utilised by these criminals since at least September 22, nearly a month now.

“The important part seems to be some sort of compromise appears to be in play,” said Randal Vaughn, a professor of Information Systems at Baylor University. “It could be an NS compromise, an OS compromise, a rogue customer machine, or something else entirely. In order to get the DNS zones entered in there, they must have pwned the box.”

Researchers believe that a malware infection on a computer at Microsoft’s facilities may be the cause of the problem, giving the gang access to the servers. 

“I’m a paranoid kind of person,” said Guilmette, citing evidence of similar hijacking of domain name servers of large companies in the past. “There’s no other immediately apparent, reasonably plausible explanation for the facts that I’m looking at.”

However, another possibility that was raised is Microsoft deliberately allowing the criminals to host their websites on its DNS so that researchers could monitor their actions and develop appropriate counter-measures. Guilmette was not convinced that this was the case.

The effects of the hijacked addresses means that the spammers can offset some of the costs of their operation and also evade spam filters by being hosted from a genuine domain, allowing the dangerous pharmaceutical scam to reach more people.