Sophos researchers are warning that the DNS records of Go Daddy hosted Web sites were recently hacked, exposing site visitors to ransomware.
"In this current spate of attacks, criminals are exploiting DNS by hacking the DNS records of sites, adding one or more additional subdomains with corresponding DNS entries (A records) referencing malicious IP addresses," writes Sophos' Fraser Howard. "The legitimate hostname resolves to the legitimate IP address, but the added sub-domains resolve to rogue servers."
"By adding several subdomains with corresponding DNS entries that reference malicious IPs, attackers can evade security filtering and trick users into thinking that they’re on a legitimate site," writes Softpedia's Eduard Kovacs. "In this particular case, the rogue servers to which users are redirected to host an exploit kit called Cool EK, which is similar to the notorious BlackHole. The exploit kit looks for vulnerabilities in the target system to push the ransomware."
"Sophos isn’t sure how the attackers were able to access the Go Daddy DNS records, but the security firm speculates that they may have used compromised user credentials (stolen or weak passwords)," writes The Next Web's Emil Protalinski. "Unfortunately, webmasters are unable to check their historical login activity to verify this theory, and Go Daddy is refusing to release such information."