Yesterday some users of the social network LinkedIn suffered from an attack in which they were redirected to a false resource. Firstly, there was an opinion that fraudsters stole the domain of the social network. But today the new information about the incident appeared. It turned out that the situation was provoked by an error of the employees of the domain name registrar Network Solutions. Some resources of the company became victims of a DDoS-attack, and to resist it the DNS-entries of some clients have been changed.
According to security expert from Cisco Jason Shultsa, DNS “hijacking” occurred because NetWork Solutions DNS nameservers were replaced with nameservers at ztomy.com. As a result, 5,000 domains could be affected. The expert noted that it really looked like the incident was due to the error made by members of Network Solutions.
The nameservers at ztomy.com were configured to reply to DNS requests for the affected domains with IP addresses in the range 220.127.116.11/24. This range corresponds to IP addresses of ISP Confluence Networks.
Attackers often "hijack" domain names to intercept session cookies, spread viruses and redirect users to phishing resources. That's why an incident with LinkedIn was perceived as hacking by the majority of experts.