starwars.com subdomain hijacked?
It seems the subdomain "shop.starwars.com" is being redirected. Anybody else seeing this?
It seems the subdomain "shop.starwars.com" is being redirected.
Anybody else seeing this?
HTML served up looks official, albeit different NS servers and IP Range from main site. Resolves to 209.20.19.60 (shop.starwars.novator2.com.). Couldn't tell you if that's where it's "meant" to go mind... [root@...]# dig shop.starwars.com ; <<>> DiG <<>> shop.starwars.com ;; Got answer: ;; QUESTION SECTION: ;shop.starwars.com. IN A ;; ANSWER SECTION: shop.starwars.com. 3600 IN CNAME shop.starwars.novator2.com. shop.starwars.novator2.com. 600 IN A 209.20.19.60 ;; AUTHORITY SECTION: novator2.com. 600 IN NS ns2.novator.com. novator2.com. 600 IN NS ns3.novator.com. novator2.com. 600 IN NS ns1.novator.com. ;; Query time: 406 msec ;; WHEN: Mon Nov 22 16:33:40 2010 ;; MSG SIZE rcvd: 150 [root@...]# dig starwars.com ; <<>> DiG <<>> starwars.com ;; Got answer: ;; QUESTION SECTION: ;starwars.com. IN A ;; ANSWER SECTION: starwars.com. 3600 IN A 208.72.12.228 ;; AUTHORITY SECTION: starwars.com. 3600 IN NS dns.lucasfilm.com. starwars.com. 3600 IN NS sbdns3.cscdns.net. ;; ADDITIONAL SECTION: sbdns3.cscdns.net. 9515 IN A 165.160.12.22 ;; Query time: 249 msec ;; WHEN: Mon Nov 22 16:34:39 2010 ;; MSG SIZE rcvd: 121 -----Original Message----- From: Matt Disuko [mailto:gourmetcisco@hotmail.com] Sent: 22 November 2010 15:47 To: nanog@nanog.org Subject: starwars.com subdomain hijacked? It seems the subdomain "shop.starwars.com" is being redirected. Anybody else seeing this?
Appears that it's a CNAME for shop.starwars.novator2.com. The expiry day is 11/22/2011, so if I were to guess I would think that the domain expired, sent to an advert page, and was just renewed. -wil On Nov 22, 2010, at 7:46 AM, Matt Disuko wrote:
It seems the subdomain "shop.starwars.com" is being redirected.
Anybody else seeing this?
Yep, that's it. My nameserver is caching the old advert site that was serving up when the domain expired: ;; ANSWER SECTION: shop.starwars.com. 1652 IN CNAME shop.starwars.novator2.com. shop.starwars.novator2.com. 1652 IN A 74.54.152.75 ;; AUTHORITY SECTION: novator2.com. 160198 IN NS dns.yourdomainhasexpired.com. novator2.com. 160198 IN NS dns2.yourdomainhasexpired.com. bloody hell. -matt
Subject: Re: starwars.com subdomain hijacked? From: wschultz@bsdboy.com Date: Mon, 22 Nov 2010 08:49:48 -0800 CC: nanog@nanog.org To: gourmetcisco@hotmail.com
Appears that it's a CNAME for shop.starwars.novator2.com.
The expiry day is 11/22/2011, so if I were to guess I would think that the domain expired, sent to an advert page, and was just renewed.
-wil
On Nov 22, 2010, at 7:46 AM, Matt Disuko wrote:
It seems the subdomain "shop.starwars.com" is being redirected.
Anybody else seeing this?
On Mon, Nov 22, 2010 at 08:49:48AM -0800, Wil Schultz said:
Appears that it's a CNAME for shop.starwars.novator2.com.
The expiry day is 11/22/2011, so if I were to guess I would think that the domain expired, sent to an advert page, and was just renewed.
-wil
Smartest attack is to put up a page that looks exactly the same as the legit site, but with your own cheaper crappier knockoff starwars paraphenalia ('duke', 'tewey', 'princess luba') that you sell instead and make the huge profits. Not to give anyone any ideas that werent obvious like 15 years ago. How anyone can tell the internet is legit at a glance is beyond me. Need to hookup firefox's security warning to my speakers to get a modicum of alert that SSL is busted, to start, nevermind anything more creative. That phishers manage to fake sites that look wrong is also beyond me, what's so hard about 'save page as'? /kc -- Ken Chase - ken@heavycomputing.ca - +1 416 897 6284 - Toronto CANADA Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front St. W.
I'm surprised by the sequence of events here.. domain "novator2.com" is registered with DomainsAtCost.ca. domain "novator2.com" expires... gets picked up by the administrators of "yourdomainhasexpired.com" - Rebel.com? 1550507.ca? ;; ANSWER SECTION: shop.starwars.com. 1655 IN CNAME shop.starwars.novator2.com. shop.starwars.novator2.com. 1655 IN A 74.54.152.75 ;; AUTHORITY SECTION: novator2.com. 160201 IN NS dns2.yourdomainhasexpired.com. novator2.com. 160201 IN NS dns.yourdomainhasexpired.com. Redir'd to a advert site, instead of a default "DomainsAtCost.ca" holding page or...nowhere. Apparently quickly renewed and "given back" to the original owners. Who's at play here? Does DomainsAtCost have a deal with Rebel.com? Or are they the same company? It all seems fishy to me. Is this normal practice?
Date: Mon, 22 Nov 2010 12:05:21 -0500 From: ken@sizone.org To: nanog@nanog.org Subject: Re: starwars.com subdomain hijacked?
On Mon, Nov 22, 2010 at 08:49:48AM -0800, Wil Schultz said:
Appears that it's a CNAME for shop.starwars.novator2.com.
The expiry day is 11/22/2011, so if I were to guess I would think that the domain expired, sent to an advert page, and was just renewed.
-wil
Smartest attack is to put up a page that looks exactly the same as the legit site, but with your own cheaper crappier knockoff starwars paraphenalia ('duke', 'tewey', 'princess luba') that you sell instead and make the huge profits.
Not to give anyone any ideas that werent obvious like 15 years ago.
How anyone can tell the internet is legit at a glance is beyond me. Need to hookup firefox's security warning to my speakers to get a modicum of alert that SSL is busted, to start, nevermind anything more creative.
That phishers manage to fake sites that look wrong is also beyond me, what's so hard about 'save page as'?
/kc -- Ken Chase - ken@heavycomputing.ca - +1 416 897 6284 - Toronto CANADA Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front St. W.
Novator (Canadian web-shopping company, used to be FTD's big partner) is responsible for shop.starwars.com so I think all that's happened here is Novator forgot to renew a domain. domainsatcost.ca is rebel.com is Momentous.ca and they own yourdomainhasexpired.com. -Rich On 22 Nov 10, at 12:19 PM, Matt Disuko wrote:
I'm surprised by the sequence of events here..
domain "novator2.com" is registered with DomainsAtCost.ca.
domain "novator2.com" expires...
gets picked up by the administrators of "yourdomainhasexpired.com" - Rebel.com? 1550507.ca?
;; ANSWER SECTION: shop.starwars.com. 1655 IN CNAME shop.starwars.novator2.com. shop.starwars.novator2.com. 1655 IN A 74.54.152.75
;; AUTHORITY SECTION: novator2.com. 160201 IN NS dns2.yourdomainhasexpired.com. novator2.com. 160201 IN NS dns.yourdomainhasexpired.com.
Redir'd to a advert site, instead of a default "DomainsAtCost.ca" holding page or...nowhere.
Apparently quickly renewed and "given back" to the original owners.
Who's at play here? Does DomainsAtCost have a deal with Rebel.com? Or are they the same company?
It all seems fishy to me. Is this normal practice?
Date: Mon, 22 Nov 2010 12:05:21 -0500 From: ken@sizone.org To: nanog@nanog.org Subject: Re: starwars.com subdomain hijacked?
On Mon, Nov 22, 2010 at 08:49:48AM -0800, Wil Schultz said:
Appears that it's a CNAME for shop.starwars.novator2.com.
The expiry day is 11/22/2011, so if I were to guess I would think that the domain expired, sent to an advert page, and was just renewed.
-wil
Smartest attack is to put up a page that looks exactly the same as the legit site, but with your own cheaper crappier knockoff starwars paraphenalia ('duke', 'tewey', 'princess luba') that you sell instead and make the huge profits.
Not to give anyone any ideas that werent obvious like 15 years ago.
How anyone can tell the internet is legit at a glance is beyond me. Need to hookup firefox's security warning to my speakers to get a modicum of alert that SSL is busted, to start, nevermind anything more creative.
That phishers manage to fake sites that look wrong is also beyond me, what's so hard about 'save page as'?
/kc -- Ken Chase - ken@heavycomputing.ca - +1 416 897 6284 - Toronto CANADA Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front St. W.
-- Rich Lafferty rich@lafferty.ca
participants (8)
-
Gavin Pearce -
Jaren Angerbauer -
Ken Chase -
Matt Disuko -
Rich Lafferty -
Rubens Kuhl -
Seth Mattinen -
Wil Schultz