- Obsolete DNS recordings create invisible openings so that criminals distribute malware on legitimate sites
- Hazy Hawk transforms the bonds of poorly configured clouds to silent redirection traps for fraud and infection
- The victims think that they visit a real site, until popups and malware take over
A new disturbing online threat emerges in which criminals divert the sub-domains of large organizations, such as Bose, Panasonic and even the American CDC (Centers for Disease Control and Prevention), to spread malware and perpetrate online scams.
As reported by Infoblox security experts, at the center of this campaign is a group of threats known as Hazy Hawk, which has adopted a relatively calm but very effective approach to compromise user confidence and armament against without mistrust visitors.
These diversions from the sub-domain are not the result of direct hacking but rather of exploitation of neglected infrastructure vulnerabilities.
A feat anchored in administrative surveillance
Instead of rape the networks through brute or phishing, Hazy Hawk operates abandoned cloud resources related to poorly configured DNS CNAME recordings.
These so-called “pendant” recordings occur when an organization breaks down a cloud service but forgets to update or remove the DNS entrance pointing towards it, leaving the vulnerable sub-domain.
For example, a forgotten sub-domain as something.
This method is dangerous because configuration errors are generally not reported by conventional security systems.
Reused subdomains become platforms for the delivery of scams, including false antivirus warnings, technological support disadvantages and malware disguised as software.
Hazy Hawk does not only stop at diversion – the group uses traffic distribution systems (TDSS) to redirect users, sub -domains diverted to malicious destinations.
These TDS, such as viralclipnow.xyz, assess the type of device, the location and the navigation behavior of a user to serve custom scams.
Often, redirection begins with apparently harmless developer or blog areas, such as Share.js.org, before browsing users through a network of deception.
Once users accept push notifications, they continue to receive scam messages long after the initial infection, establishing a sustainable vector of fraud.
The benefits of these campaigns are more than theoretical and have affected high -level organizations and companies such as the CDC, Panasonic and Deloitte.
Individuals can protect themselves against these threats by refusing requests for push notification of unknown sites and showing caution with links that seem too beautiful to be true.
For organizations, emphasis must be put on the hygiene of the DNS. Do not delete DNS inputs for discovered cloud services leaves sub-domains vulnerable to taking control.
Automated DNS monitoring tools, especially those integrated into the information threat, can help detect compromise signs.
Security teams should treat these configuration errors as critical vulnerabilities, not minor supervisors.
