This proved that .za domain – was hacked. However, upon visiting hxxp://it redirected to a completely different site and numerous ads started to crowd the screen immediately. On visiting the WHOIS server site – hxxp://whoisco.za, it promptly redirected to the legitimate website, –. The fetched results paved the way to further narrow down on the real problem! So, performing a root cause analysis by installing Brew with an updated version of WHOIS 5.2.12 caused a different result where the client information had been redacted. You guessed it: the results indicated that the domain name had something to do with the issue. Researchers immediately ran a query to dig deeper on “whois .za whois: za.:”. Even though all the spam emails looked similar, there was a strong clue at the end of each email redirecting users to another site – “Why would queries go to .za instead of ?” The WHOIS changelog demonstrated a new set of spam links which were included on all out-going email notifications. WHOIS Server Showed Records of Spam Content But, the changes made in the WHOIS server contained details of what was changed and this was where things got really interesting. A search to locate the official WHOIS server for client (CNAME .) came back with nothing wrong. ![]() co.za is used for a top-level domain official in South Africa. They then included arbitrary and unauthorized ads in this newly purchased old South African WHOIS server records. Research revealed that hackers had taken advantage of customers’ domain expiration by purchasing a previously legitimate WHOIS server. ![]() Recently, a WHOIS service user got really upset about the changes in his records, as well as email notifications he received that were carrying spam content. Yet if a website owner is interested in safeguarding their personal information, they are required to purchase the WHOIS server protection service. Simply put, these records are available to everyone with the goal of creating trust online through visibility of the website owner’s name, address, and phone number. “WHOIS” is a protocol which is used to verify who owns a unique domain name. Yet, shedding light on a blackhat tactic used to infiltrate a WHOIS results for a domain name is complex and unique, as it is not a common occurrence. SEO spam attacks on compromised websites may be common, as we cover them quite frequently.
0 Comments
Leave a Reply. |