Stolen 123-reg password knocks out 120 UK domains
Hosting provider 123-reg has been accused of a lapse in security after one customer found his account hacked – and the domains he had registered redirecting to a ransomware site.
The customer, who has asked to remain anonymous, owns a web design agency and has more than 120 domains registered with 123-reg, mostly belonging to clients.
After being contacted by a visitor to one site, he found half the domains redirected to a bogus notice warning the user that their browser had been “blocked” by police and demanded payment.
He tracked the issue to 123-reg and found hackers had accessed his account and altered DNS records and other settings.
123-reg, while trying to be helpful, didn’t do a thing
“All 120-plus domain names had been set to auto-expire,” he told PC Pro. “Half were redirected to spurious locations and more than a third had compromised DNS, with additional DNS redirects to these ransom sites.”
123-reg confirmed the incident but couldn’t say how the hack took place.
“While we cannot at this stage determine whether the account was definitely hacked, we can confirm that once contacted by the customer we did act upon the enquiry and took all the necessary measures that we could from our side to investigate and help,” the company told PC Pro.
123-reg also said the problem was an “isolated incident”.
It appears 123-reg was only alerted to the problem after a security researcher, Virus Bulletin’s Martijn Grooten, separately stumbled across the ransomware notices. Grooten suggested that the group behind the attack was also behind Reveton, a major ransomware virus that began spreading in 2012.
One by one
123-reg claimed it had subsequently taken down the affected sites, but our source said the company actually corrected only one altered DNS record.
“I had to go through every single account, one by one, and check every setting,” he said. “123-reg, while trying to be helpful, didn’t do a thing.”
“My password has always been secure, but I don’t know if that’s how they accessed my account, so I don’t know if my domains or the websites are secure,” he added.
A security hole with 123-reg’s management console resulted in 300 domains being hijacked in 2012.
Update: 123-reg has contacted PC Pro with an update on its investigation and said the hack was down to a stolen password, and not a wider security issue with its systems.
“123-reg [has confirmed] we did not have a mass domain attack,” a spokesperson said. “Our systems were not compromised and thus the allegation that 123-reg was to blame for a customer’s account being compromised is incorrect.”
“We have evidence to show that the customer’s password was used to access the account and change the settings on it,” the spokesperson added. “There was no password intrusion performed against 123-reg.”
123-reg said it was continuing its investigation.