Hackers Abuse Domain-Name Trust
Not content to exploit misspelled domain names, the bad guys are now tricking security into thinking their malware is on a trusted domain.
Using variations on trusted, popular domains has long been a common tactic for scammers, spammers and porn sites. But cyber criminals have devised a new twist on the misspelled domain-name trick by hijacking IP addresses. And they tried it on Yahoo.
To fix the old problem, server-based security products would trace the IP address of the server behind the domain. Once the IP address resolved the misspelled domain name, the products would then compare the IP address against a database of known fraudulent sites or questionable locations. So if a site were masquerading as eBay but the filters found it was really a server in China that had only been established one week earlier, it would block access.
In the case of Yahoo, security firm Finjan said hackers exploited an unused IP address within Yahoo's hierarchy and used that as the domain address behind a forged Google Analytics domain name. This fooled the Web-filtering products into believing a person was going to a highly trusted Yahoo domain. The victims never knew they were on a malicious Web site, and neither did the security mechanisms on the network.