/c/cybersecurity - Cybersecurity News & Discussion

2160 readers

2 users here now

A community for technical news and discussion of cybersecurity and closely related topics.

founded 4 years ago

MODERATORS

[email protected]

Help me understand this Azure / DNS attack (www.keytos.io)

submitted 2 years ago by bears to c/[email protected]

1 comments fedilink hide all child comments

I feel like I'm missing a step. You take down your website, but leave the DNS entry and the attacker does what? Builds a site that has the IP address your CNAME is pointing to? Can anyone make a website in azure and pick the IP address they want? Thanks

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 2 points 2 years ago

cnames do not point to IP address, they point to a resource on another domain, in this case azureresource.azure.-com for example.

Say you have a temporary webpage called flashsale.example.-com you created a cname pointing that subdomain to an azure resource that shows your desired content. Then you remove the azure resource, but leave the cname in place.

If a create another azure resouce with whatever public azure url you used before, and I make it look like your current website, say I impersonate your current login.example.-com on that azure resource, now your cname flashsale.example.-com os pointing to it, but you don't control the azure resource now, I do.

Now I can try to phish your customers by sending emails with real links, like: Dear customer, your account will be charged $900 for your last purchase, if this purchase was made in error or was not authorized by you, sign in to flashsale.example.-com immediately to cancel it. And now I have your customer's credentials.

And that is just one example, there are many more ways to exploit an orphaned cname subdomain, like using it to serve malware, using it to control bots without being blacklisted, etc.