The Internet Corporation for Assigned Names and Numbers (ICANN) has fallen victim to a phishing attack which resulted in the attackers gaining administrative access to some of ICANN’s systems, including its Centralized Zone Data Service (CZDS).
In an email alert sent this morning, ICANN said it believes a spear phishing attack in November resulted in several ICANN staff members’ email credentials being compromised. The stolen passwords were then used to gain unauthorised access to multiple ICANN systems, which could have resulted in other usernames and passwords being compromised.
Although CZDS passwords are stored as salted hashes, ICANN has taken the precaution of deactivating passwords and API keys used on the compromised CZDS service. ICANN implemented some security enhancements earlier this year, which it believes limited the extent of the unauthorised access, and has implemented further measures since this attack.
The spear phishing emails involved in this attack were crafted to appear to originate from ICANN’s own domain, which is a common tactic for phishers as it lends a fair amount of credibility to the emails. This domain spoofing could well have played an important part in the successfulness of the attack, but icann.org still does not feature any Sender Policy Framework records to specify who can send mail on its behalf.
Organisations concerned about these types of attack can use Netcraft’s Fraud Detection service, which processes DMARC (Domain-based Message Authentication, Reporting and Conformance) reports on your behalf. These reports are sent by ISPs and e-mail receivers when they see any emails which claim to be from one of your own domains. A web interface shows the status of all of your own domains, any configuration changes required, and highlights unprotected domains being used by fraudsters attacking your customers.