Security Experts:

SOPA / PIPA Supporters Targeted in DNS Hijack Attack

The domain of and two owned by luxury designer firm Coach, were targeted this week for their continued support of the anti-piracy and anti-counterfeiting bills - SOPA and PIPA. In each case, the group calling itself UGNazi, hijacked the DNS used by the targeted domains, redirecting the visitors to a secondary location.

“We understand that these websites will enevitably [sic] take back their website. We don't steal users [sic] data, only here to make them aware. From SOPA/PIPA, to ACTA to just pissing us off...there is always a reason,” the group said in a brief explanation. (Ultimate Fighting Championship), was the first domain to be hijacked by the UGNazi’s, but Dana White, the President of Zuffa, which is the parent company for UFC, wasn’t concerned at all.

“I’m in the fight biz not the website biz!” White said on Twitter, “Might be a biog deal to other companies not mine.”

Related: DNS Hijack - How to Avoid Being a Victim

Just before the UFC attack, the general council for Zuffa published an editorial that supported SOPA because of “criminals” who sit behind their computers and “are abusing the Internet with the illegal sale of counterfeit products such as electronics, prescription drugs, clothing and -- in our case -- illicit downloads and streaming of our matches.”

Coach on the other hand, would be a natural proponent of SOPA, due to the heavy counterfeiting of their bags and other good, which are sold online and overseas. However, those who stand against the bill are more concerned with the broad powers it would give both the government and IP owners. It isn’t that they support piracy, but they would rather see the issue addressed with clearly worded laws, with a measure of protection for website owners and content producers.

The UGNazi’s didn’t do anything technically advanced. DNS hijacks often take a bit of social engineering and some basic information, in order to get the domain register to reset a password or change a DNS.

Coach is using UU.NET (Verizon Business) as their primary DNS host, which is likely why the DNS hijacking was flagged so fast. Where as, UFC has their DNS managed by a child-company of EarthLink. In each case, the DNS name servers are managed by Network Solutions, a company that has suffered under DNS hijacking in the past.

“Many companies pay little if any attention to securing their domain registrations, and most do not continuously monitor their DNS to make sure it is resolving properly around the world. So they are both vulnerable to attacks and blind to attacks when they happen,” commented Lars Harvey of Internet Identity.

“We've said this before, and we'll probably say it many times again. Every company that relies on its domain name(s) for significant business activity should have its domains registered at a corporate domain registrar... Such registrars have designed their services to serve companies, and provide levels of security and service that make it much more difficult for an attacked to hijack your domain.”

Corporate domains registered at consumer registrars, such as GoDaddy or Network Solutions, leave a business exposed, Harvey added, because they do not business models that allow them to be proactive enough to protect a business. To be fair, Network Solutions does have corporate business models, but they’ve been abused in the past.

In the end, the domains returned to normal, but the UGNazi’s promised more attacks.

view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.