eNom discloses DNS attack to customers

On Thursday, Taryn Naidu, the CEO of domain registrar eNom, sent a letter to customers disclosing a “very sophisticated attack” that targeted the DNS settings on four domains.

The email was sent in order to provide transparency, but eNom is the registrar of record for the Federal Reserve Bank of St. Louis, which reported a DNS hijacking earlier this week. Are the two incidents linked?

“Enom recently became the subject of what appears to be a very sophisticated attack by a group that targets large internet infrastructure companies. Within hours of this attack, we were in contact with federal law enforcement and the affected parties. This attack hijacked the DNS traffic of 4 domains for a very short period of time before we mitigated the situation,” the letter starts.

Other than the owner(s) of the four domains in question, no other customers were affected by the incident. Naidu sent the letter as an act of transparency to inform clients of this “unfortunate situation.”

“To be clear, no domain names were stolen, and after exhaustive analysis, with the exception of the DNS of the domains specifically targeted, we do not have any evidence or reason to believe that these malicious actors accessed any customer accounts, customer personal information, or any of Enom’s secured and encrypted data. Your security is a leading priority at Enom and we continue to work both with federal law enforcement and industry leading security forensic companies to protect your online presence,” the letter said.

Earlier this week, Federal Reserve Bank of St. Louis reported that their DNS settings were hijacked, and used to redirect some traffic to rogue websites created by the attackers to mimic four different tools used by the bank’s clients.

According to historical domain records, eNom is the registrar for Federal Reserve Bank of St. Louis (stlouisfed.org). It’s also worth mentioning that the DNS for this domain would also control the four tools (FRED, FRASER, GeoFRED and ALFRED) that the criminals targeted.

The letter from eNom to its customers didn’t name St. Louis Fed as the victim, but given the timing of the two announcements, the incidents are likely linked.

Salted Hash has reached out to Rightside Group LTD., the parent company of eNom, for more information.

Update: In a statement, Rightside Group LTD. declined to offer any additional information, stating: “For privacy and confidentiality reasons, as well as ongoing federal law enforcement engagement, we are not discussing what domains were affected.”

“This is a very creative and intelligent attack, in that cybercriminals did not have to breach the heavily secured perimeter, but instead use a weak outside link that would stealthily move them inside their target,” said Trend Micro’s Christopher Budd in a statement concerning the St. Louis Fed incident.

“In this case it’s as if they decided ‘Why attack Ft. Knox when you can just redirect the trucks delivering to it?'”

The eNom incident isn’t the first of its kind, other registrars have had to deal with DNS hijacks, leading many to call webhosting services and domain registration a weak link in the supply chain, as the vendors in question often fall victim to socially-based attacks.

In fact, earlier this year, this reporter’s GoDaddy account was easily hijacked after a security expert social engineered call center employees and used Photoshop to forge a state ID.

“A stealthy cybercriminal can easily do his or her homework using social media outlets to gain sufficient information to request an account reset through a call center,” added Budd.

“It’s unfortunately becoming an area of focus for criminals that turns into a nightmare for victims seeking to regain control.”