http://arstechnica.com/security/2015/02/attackers-take-control-of-lenovo-com-hijacking-e-mail-and-web-servers/
By Dan Goodin
Ars Technica
Feb 25, 2015
Almost a week after revelations surfaced that Lenovo preinstalled
dangerous ad-injecting software on consumer laptops, attackers took
complete control of the company's valuable Lenovo.com domain name, a coup
that allowed them to intercept the PC maker's e-mail and impersonate its
Web pages.
The hijacking was the result of someone compromising a Lenovo account at
domain registrar Web Commerce Communications, and changing the IP address
that gets called when people typed Lenovo.com into their Web browsers or
e-mail applications. As a result, the legitimate Lenovo servers were
bypassed and replaced with one that was controlled by the attackers. Marc
Rogers, a principal security researcher at content delivery network
CloudFlare, told Ars the new IP address pointed to a site hosted behind
his company's name servers. CloudFlare has seized the customer's account,
and at the time this post was being prepared, company engineers were
working to help Lenovo restore normal e-mail and website operations.
"We took control as soon as we found out (minutes after it happened) and
are now working with Lenovo to restore service," Rogers said. "All we saw
was the domain come in to us, at which point we took immediate action to
protect them and their service."
Rogers went on to say the unknown attackers posted MX mail server records
that allowed them to read e-mail sent to Lenovo employees. The fraudulent
records have since been removed. Rogers' account is consistent with an
image posted by the LizardCircle Twitter account. The image showed an
e-mail sent by an outside PR person to several people inside Lenovo's PR
department.
[...]
--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/
