Iraqi hacker takes credit for hijacking subdomain, defacing Trump site

When was the last time you checked DNS configurations for subdomains pointing at services not in use?

A hacker, purportedly from Iraq, defaced a site previously used by President Donald Trump for campaign fundraising. The “hack” occurred Sunday on the server secure2.donaldjtrump.com. It was short-lived.

A screenshot of the defacement was posted on the subreddit Hacking. The page displayed an anonymous man in a fedora above the message:

Hacked By Pro_Mast3r ~

Attacker Gov

Nothing Is Impossible

Peace From Iraq

defacement of trump site g33xter

Ars Technica reported the server was “behind Cloudflare’s content management and security platform, and it does not appear to be directly linked from the Trump/Pence campaign's home page. But it does appear to be an actual Trump campaign server.”

While some commenters on the subreddit Hacking seemed to view this as “fake” news, others pointed out that the defacement was confirmed by security journalist Brian Krebs.

In a series of tweets, Krebs explained that the hacker told him he’d used a hostile subdomain takeover technique, described when it was written in 2014 as a “practically non-traceable” attack.

trump hacker told krebs 1 Brian Krebs
Trump hacker told Krebs 2 Brian Krebs

Detectify Labs, which originally wrote about the subdomain takeover, explained it as a “serious attack vector resulting from a widespread DNS misconfiguration. The misconfiguration allows an attacker to take full control over subdomains pointing to providers.”

Here's another grin-worthy image that was tweeted by g33xter:

Trump and XSS g33xter

Trump has acquired over 3,500 domains

Presumably inspired by the defacement, CNN dived into Trump’s “vast online portfolio of domain names,” according to 20 years of internet records using DomainTools. Before Trump became president, his company had “at least 3,643 website domains.” Ninety-three of those were snapped up when he launched his presidential campaign.

It seems Trump purchased many that he feared might someday be used against him, such as “TrumpNetworkFraud.com, TrumpNetworkPyramidScheme.com, TrumpNetworkPonziScheme.com” and 15 more similarly named domains.

Some other interesting CYOA choices acquired by Trump include DonaldTrumpSucks.com, VoteAgainstTrump.com, TrumpMustGo.com, NoMoreTrump.com and ImBeingSuedByTheDonald.com.

Trump’s first site, donaldjtrump.com, was obtained Jan. 20, 1997.

Are your sites vulnerable to hostile subdomain takeover?

The temporarily defaced secure2.donaldjtrump.com is no longer accessible. But do you suppose the Trump team is scurrying to insure that none of the more than 3,600 website domains are misconfigured, which would allow subdomains to be hijacked?

Detectify Labs said it has “identified 100+ different ways that you can be vulnerable to a domain takeover.” The company sells a tool to monitor subdomains, but it also suggested people “check your DNS-configuration for subdomains pointing to services not in use” to “keep your DNS-entries constantly vetted and restricted.”

SUBSCRIBE! Get the best of CSO delivered to your email inbox.