Nearly a week after revelations that Lenovo had installed dangerous ad-injecting software on user laptops, attackers took complete control of the company’s valuable domain name Lenovo.com, an attack that gave they are allowed to access the PC maker’s email and compare your web pages.
The delivery was the result of someone registering a Lenovo account at the Web Business Communications Administrator, and changing the IP address called when people typed Lenovo.com into their web browsers or email applications. As a result, legitimate Lenovo servers were bypassed and replaced with one controlled by attackers. Marc Rogers, principal security researcher at content delivery network CloudFlare, told Ars the new IP address pointed to a site hosted behind his company’s name servers. CloudFlare has recovered the customer’s account, and at the time this post was prepared, company engineers were working to help Lenovo restore normal email and website services.
“We took control as soon as we found out (minutes after it happened) and we’re working with Lenovo to restore service,” Rogers said. “Everything we see at the point of access to us, at which point we take immediate action to protect them and their work.”
Rogers went on to say that unknown attackers had posted MX mail server logs that allowed them to read email sent to Lenovo employees. The fraudulent records have been removed. Rogers’ news is consistent with the image posted by the LizardCircle Twitter account. The image shows an email sent by an external PR person to several people in Lenovo’s PR department.
The attackers “were hijacking email until we took control of the account,” Rogers said. “At that time we removed their records and waited. I confirmed that when we took control (and) removed some bad MX (email) records. I don’t think they were expecting us to come in and save the day for Lenovo as quickly as we did, though.”
Update: A little more than two hours after this article went live, Lenovo officials issued a statement that replaced the previously published statement. It reads:
Unfortunately, Lenovo has been the victim of a cyber attack. One effect of this attack was to redirect traffic from Lenovo’s website. We are also investigating other aspects. We are responding and have already restored some functionality to the public-facing website.
We regret any inconvenience our users may have if they are unable to access parts of our site at this time. We are actively reviewing our network security and will take appropriate steps to support our site and to protect the integrity of our users’ information and experience.
We are still working closely with third parties to combat this attack and will provide additional information as it becomes available.
People who visited the site during the attack saw a slide show that showed a girl or a young woman with dark hair sitting in what looked like an apartment. When clicked, the images lead to a Twitter account that criticized Lenovo for preloading some of its computers with injection software that breaks completely encrypted connections to HTTPS-secured websites. The software, provided by a company called Superfish, gives attackers a cheap and easy way to hack Bank of America, Google, or any other website on the Internet and yet be trusted by many web browsers.
An important point that is often missed in the news community of domain name theft is that the attackers responsible do not actually attack the servers of the targeted company. Instead, attacks allow people to try to send e-mails or visit web pages to bypass targeted company servers instead of accessing controlled servers, often with few instructions to complete. users say nothing is wrong. That’s not to say domain name theft can’t cause serious security problems for the targets. In Wednesday’s case, the attackers had complete control of the Lenovo.com site, a feat that allowed them to not only block email sent to Lenovo employees but also easily account for any Lenovo.com address.
The interception of Lenovo e-mail is sure to attract the attention of law-enforcement officials. Using CloudFlare attacks can make it easier for them to be identified and tracked. Stay tuned. This story will no doubt continue to play out in the future.
Image courtesy of Lenovo