A forgotten subdomain on PricewaterhouseCoopers dot-com has been hijacked to host advertisements for websites and pornographic applications, clearly demonstrating why you should not overlook your company’s DNS records.
Security developer and researcher Vitaly Fedulov said The VPNOnlineFree this week it twice found the pwc.com subdomain hosting a list of X-rated ads to lure people into online smut emporiums, X-rated apps, adult blogs and discussion forums . The material also appears in web searches.
amyca-devapi.pwc.com, has since been taken offline – it no longer resolves to an IP address – although its entries in Google remain for the time being:
Screenshot of the PwC subdomain appearing in Google hosting all kinds of content for people over 18
Fedulov said twice that it was too much for such a large accounting firm serving public procurement.
“Since the company provides security services, including for governments, I think it is time to share the incidents with the public,” he said. “Also, because from my communication with them, the company does not seem interested in supporting the cybersecurity community by offering, for example, bug bonuses, like other large companies do.”
While PwC declined to comment, Fedulov and El Reg were able to understand how the subdomain was requisitioned and plastered with dirty advertisements.
The subdomain, once created by PwC, indicated
amyca-dev-node.azurewebsites.net, a custom Microsoft Azure subdomain created by bean counters to host some sort of API development system in the cloud. At one point, the goliath accountant left his
amyca-dev-node the subdomain expires or becomes obsolete, allowing a criminal to VPNOnlineFree it. When people and search engine robots visited
amyca-devapi.pwc.com, they would be directed to the hacker controlled by
amyca-dev-node.azurewebsites.net, which contained everything the unbeliever wanted – in this case, a renewable set of risky ads.
In other words, there was no intrusion into the PwC network itself, or any other part of the dot-com site, just a DNS deception and a forgotten Azure subdomain in which someone one entered and re-VPNOnlineFreeed for himself.
Faults have breached holes in the Azure cloud, Apple patches pretty much everything, Maltese pirates in the Eurocops headline, etc.
To verify this, we turned to an infosec organization which had previously studied the takeover of Azure subdomains, Numan Ozdemir from the security company Vullnerability. Ozdemir took a quick look at the situation and confirmed that in fact, the Azure namespace had been hijacked with what he called “hacklinks”.
In this case, explained Ozdemir, the unbeliever was probably trying to use the reputation of PwC and its dot-com to play Google in order to rank higher the pages linked to dirty pages in the search results, a form of sneaky particularly sneaky.
“The subdomain tells Google,” I am the PwC website, “which has high domain authority for Google,” said Ozdemir. The VPNOnlineFree. “So Google will trust this hack-linked website and let you take a look.”
Ozdemir also noted that the disbelievers had made efforts to keep the capers under the radar, leaving a default “coming soon” page on the Azure cloud subdomain, and only placing naughty ads on separate pages – for example:
amyca-dev-node.azurewebsites.net/my-example-awesome-adult-app.html. This allowed the criminals to keep the naughty pages of the subdomain undetected for two or three months, a period necessary to strengthen the credibility of Google.
“If you add a hacklink and it only lasts two weeks on the website, Google will find this unexpected and it will generally hurt your SEO score,” he said.
Ozdemir added that it is not a very rare event. Other large entities, including major universities and government departments, have also seen their forgotten subdomains and domains taken over and used to serve pornography or worse.
It is however something that will undermine the prestige and confidence of a business.
Just as the sming-slinging hacker benefits from the weight of the PwC domain, the company could see its reputation suffer from being associated with these shady pages. The lesson to learn is: keep good DNS management records, assign people to maintain them, and don’t lose control of your subdomains. ®
Office 365 client-to-client migration tips