Domain Name Hijacking

1. attackers will first access www.networksolutions.com, a network solution company, and enter the domain name to be queried through the make changes function provided on the company's homepage, obtain the domain name registration information in abc. Com, for example, we will get the following information: Registrant: Capital Cities/ABC, Inc (ABC10-DOM) 77 W 66th St. New York, NY 10023 US Domain Name: ABC. COM Administrative Contact, Billing Contact: King, Thomas C. (SC3123-ORG) abc. Legal. Internet. Registration @ ABC. Com abc, Inc. 77 W 66th St. New York, NY 10023 US 212-456-7012 Technical Contact, Zone Contact: Domain Administrator (DA4894-ORG) dns-admin @ STARWAVE. COM Starwave Corporation 13810 SE Eastgate Way, ste. 400 Bellevue, WA 98005 US 206. 664. 4800 Fax-206. 664. 4829 Record last updated on 11-Oct-2000. Record expires on 23-May-2003. Record created on 22-May-1996. Database last updated on 20---2000 14:14:26 EDT. Domain servers in listed order: DNS1. STARWAVE. COM 204. 202. 132. 51 T. NS. VERIO. NET 192. 67. 14. 16

2, control the management domain name of the E-MAIL account obtained from the above information, attackers can understand abc. Com registered DNS server, management domain name E-MAIL account, technical contact E-MAIL account and so on registration information, the attacker's focus is the first need to manage the Domain Name of the E-MAIL account abc. Legal. Internet. Registration @ ABC. COM control, send and receive in the network solution company networksolutions homepage modified domain name registration records after confirmation E-MAIL, the control process of the E-MAIL account does not rule out the attacker to the E-MAIL Account Password Brute Force speculation, the account's E-MAIL server intrusion attacks.

3. When the domain name registration information of the network solution company is modified, the attacker will use the make changes function of the network solution company networksolutions to modify the registration information of the domain name, including the owner information, DNS server information, and so on.

4. impersonate the owner to use the E-MAIL account that manages the domain name to send and receive the network solution company confirmation letter before the real owner of the E-MAIL account that manages the domain name receives the network solution company confirmation letter, receive the E-MAIL account of the mail, use the E-MAIL account to reply to the network solution company for confirmation, after the secondary reply confirmation, will receive the network solution company sent a letter of successful modification of registration records, the attacker successfully hijacked the domain name.

5. Add the domain name record to the newly designated DNS server and add the PTR record of the domain name to the newly designated DNS server in the registration information, pointing to the server of another IP address, generally, these two servers are pre-intrusion-controlled servers and are not owned by attackers.