- DNS DNS records create invisible openings for criminals to spread malware through legitimate sites
- Hazy Hawk converts the bonds of poorly configured clouds into silent redirection traps for fraud and infection
- Victims think they are visiting a real place, until emerging windows and malware take over
A new worrying line threat is emerging in which criminals kidnap the subdomains of the main organizations, such as Bose, Panasonic and even the CDCs of the United States (centers for disease control and prevention), to propagate malware and perpetrate online scams.
As marked by Inflox security experts, in the center of this campaign there is a group of threats known as Hazy Hawk, which has adopted a relatively quiet but highly effective approach to compromise and arm the users against unsuspecting visitors.
These subdomain kidnappings are not the result of direct piracy, but of exploiting the vulnerabilities of infrastructure overlooked.
An exploit rooted in administrative supervision
Instead of violating the networks through the brute force or phishing, the misty hawk exploits abandoned cloud resources linked to poorly configured CName DNS records.
These so -called “pendant” records occur when an organization disassembles a cloud service, but forgets to update or eliminate the DNS entry that points to it, leaving the vulnerable subdomain.
For example, a forgotten subdomain as something.Bose.com could still point out an Azure resource or unused AWS, and if Hazy Hawk records the corresponding cloud instance, the attacker suddenly controls a bose subdomain of legitimate appearance.
This method is dangerous because erroneous configurations are not usually marked by conventional security systems.
Reuse subdomains become platforms to deliver scams, including false antivirus warnings, technical support cons and malware disguised as software updates.
Hozy Hawk not only stops in kidnapping: the group uses traffic distribution systems (TDS) to redirect users of subdomains kidnapped to malicious destinations.
These TDS, such as Viralclipnow.xyz, evaluate the type of device, the location and navigation behavior of a user to serve tailored scams.
Often, the redirection begins with domains of apparently harmless developers or blogs, such as Share.js.org, before dragging users through a deception network.
Once users accept Push notifications, they continue to receive scam messages long after initial infection, establishing a durable vector for fraud.
The consequences of these campaigns are more than theoretical and has affected high profile organizations and companies such as CDC, Panasonic and Deloitte.
People can protect themselves against these threats by rejecting Push notification requests from unknown sites and exercising caution with links that seem too good to be true.
For organizations, the emphasis must be in DNS hygiene. Do not eliminate DNS entries for dismantling cloud services leaves surveys vulnerable to acquisition.
Automated DNS monitoring tools, especially those integrated with threat intelligence, can help detect signs of commitment.
Security teams should treat these erroneous configurations such as critical vulnerabilities, not minor supervisions.
