SEO spam attacks on compromised websites may be common, as we cover them quite frequently. Yet, shedding light on a blackhat tactic used to infiltrate a WHOIS results for a domain name is complex and unique, as it is not a common occurrence.
“WHOIS” is a protocol which is used to verify who owns a unique domain name. Simply put, these records are available to everyone with the goal of creating trust online through visibility of the website owner’s name, address, and phone number. Yet if a website owner is interested in safeguarding their personal information, they are required to purchase the WHOIS server protection service.
WHOIS Server Hack – A Quick Outline
Recently, a WHOIS service user got really upset about the changes in his records, as well as email notifications he received that were carrying spam content. Research revealed that hackers had taken advantage of customers’ domain expiration by purchasing a previously legitimate WHOIS server. They then included arbitrary and unauthorized ads in this newly purchased old South African WHOIS server records.
The country code .co.za is used for a top-level domain official in South Africa. A search to locate the official WHOIS server for client (CNAME whois.coza.net.za.) came back with nothing wrong. But, the changes made in the WHOIS server contained details of what was changed and this was where things got really interesting.
WHOIS Server Showed Records of Spam Content
The WHOIS changelog demonstrated a new set of spam links which were included on all out-going email notifications. Even though all the spam emails looked similar, there was a strong clue at the end of each email redirecting users to another site - "Why would queries go to whois.co.za instead of whois.coza.net.za?"
Investigating the WHOIS Server
Researchers immediately ran a query to dig deeper on "whois victim-site.co.za whois: za.whois-servers.net:".
You guessed it: the results indicated that the domain name had something to do with the issue. So, performing a root cause analysis by installing Brew with an updated version of WHOIS 5.2.12 caused a different result where the client information had been redacted.
The fetched results paved the way to further narrow down on the real problem!
Scanning The Registry Website
On visiting the WHOIS server site – hxxp://whois[.]co.za, it promptly redirected to the legitimate website, https://www.registry.net.za/whois/ –.
However, upon visiting hxxp://www.whois[.]co.za, it redirected to a completely different site and numerous ads started to crowd the screen immediately. Bingo!
This proved that whois.co.za domain – was hacked.
The DNS records were culled out and it showed that the bare domain and subdomain were configured to different servers.
The hxxp://whois[.]co. za showed a clean version while hxxp://www.whois[.]co.za was spam-filled. Another WHOIS query was run and this time it clearly pointed out which server to use.
In the end, it was revealed that some hacker gained access into the domain whois.co.za and replaced it on April 22nd. Since then, clients started receiving unsolicited ads in their notification emails.
Outdated WHOIS Server
The problem occurs with versions of WHOIS older than 5.0.19. In 2009, the whois[.]co.za domain was removed in version 4.7.33. A hacker capitalized by purchasing it after the domain expired to send advertisements.
On the other hand, WHOIS versions older than 5.0.19 will go on to see such messages when querying co.za domains. The issue has been reported to the South African registrar.
It’s important for all users to keep a track on their WHOIS records to stay rest assured that the hackers are not making any illegal changes or compromise to their WHOIS server. We will keep you posted here if there are any further developments with the issue.