We are actively seeing several high profile domains being hijacked at the DNS level and are actively blocking all requests from the apparent attackers’ name servers. The attacker looks to have compromised domain name registrar MelbourneIT. Reported domains include Share This, Twitter, Huffington Post, and the New York Times. We’re not linking to those sites for obvious reasons.
The IP addresses and domains that have been involved in redirection have been blocked by OpenDNS for months, so OpenDNS customers attempting to connect to the affected domains were already protected. We are now blocking all requests that are coming from the known bad name servers. The below screenshots shows the bad name server, 18.104.22.168, which is currently hosting domains including malware and phishing along with the domains affected by today’s attack .
Below are some related screenshots from our Umbrella Security Graph showing some immediate early information related to the attacks. We’ll follow-up with more, shortly. For now, anyone using OpenDNS is protected.
The following screenshots show more detail on the domains in question: