A forgotten subdomain on PricewaterhouseCoopers’ dotcom has been hacked to promote pornographic sites and applications, which clearly shows why DNS records should not be neglected by companies.
Developer and security researcher Vitaly Fedulov told the Registry that twice this week he found the sub-domain pwc.com, which lists X-rated ads to lure bad people into online stores, X-rated applications, blogs and adult chats. The material is also shown when searching the web.
Since then, the subdomain amyca-devapi.pwc.com has been taken offline – it is no longer allowed in the IP address, although the entries remain in Google :
A screenshot of the PwC subdomain appearing on Google, in which all kinds of documents over 18 years old are stored.
Fedulov, who manages the image retrieval system, said twice too much for such a large accounting firm that handles government contracts.
Since the company provides security services, including to governments, I think it’s time to report incidents to the public, he said. It is also because the company, after my interactions with them, does not seem interested in supporting the cyber security community, for example by offering a reward for mistakes, as other large companies do.
Although PwC refused to comment, Fedulov and El Reg were able to discover how the subdomain was tarnished and covered in false advertising.
The subdomain created by PwC referred to amyca-dev-node.azurewebsites.net, a custom Microsoft Azure subdomain created by Bean Counters to host some kind of API development system in the cloud. Once Goliath’s accounting department let his sub-domain amyca-dev-node expire or expire for the attacker to register. When people and search engine robots visited amyca-devapi.pwc.com, they went to the hacker-controlled amyca-dev-node.azurewebsites.net, which contained everything the attacker wanted – in this case a rotating series of risky advertisements.
In other words, there was no intrusion on the PwC network itself or any other part of the dotcom website, just a trick with the DNS and a forgotten Azure subdomain that someone urgently re-registered.
To White List Office 365 Connections to the Big Cloud ? This way…
To verify this, we contacted Numan Ozdemir of the security company Vullnerability, which had already investigated the detection of the Azure subdomains. Ozdemir took a quick look at the situation and confirmed that the real azure name space was captured by what he called hacker left.
In this case, Ozdemir explained, the attacker probably tried to use the reputation of PwC and its dot com to play Google to get a better ranking in search results on pages with smartphone links, which is a particularly underestimated form of SEO.
According to the Ozdemir registry, the subdomain is Google : I am a PwC site that is very popular in the Google domain. This way Google trusts this website and you can take a look at it.
Ozdemir also noted that the attackers took some steps to keep up with the antics by leaving the nearest page in the standard azure cloud subdomain and placing naughty ads only on individual pages – for example: amyca-dev-node.azurewebsites.net/my-my-example-awesome-adult-app.html. This allowed the attackers to keep the ugly pages in the subdomain undetected for two to three months, a period needed to establish trust in Google.
If you add a hacker link, and if it only lives on the site for two weeks, Google will consider it a surprise, and that usually hurts your SEO result, he said.
Ozdemir added that this was not unusual. Other large organizations, including major universities and government agencies, have also had their subdomains and forgotten domains seized and used to distribute pornography or, worse still, to distribute pornography.
However, this will damage the company’s reputation and credibility.
Just as a suicidal hacker benefits from the influence of a PwC domain, a company can acknowledge that its reputation suffers from these dark sides. The lesson is this: Maintain good DNS management, point out the people they serve and don’t lose control of your subdomains. ®
Webcast : Customize your hybrid cloud correctly