Checkpoint research have published an interesting demonstration of hacking a customer account for an EA online game by chaining together a series of conventional attacks including social engineering, phishing and session high-jacking. What makes this demonstration noteworthy is the use of poor DNS hygiene in order to take control of a subdomain of EA.com.
For distributed cloud based infrastructures it is common practice for projects or marketing campaigns to make use of subdomains which point to temporary servers spun up for the duration on cloud services. For example: newproject.ea.com is running on new virtual servers on an Amazon Web Services (AWS) instance. In order to configure this, a CNAME DNS record is used to direct the newproject.ea.com subdomain to the virtual servers on AWS which will have a host name such as random-server.europe1.elb.amazonaws.com.
The vulnerability occurs when the ‘newproject’ ends and the infrastructure is decommissioned on AWS – but no-one remembers to cancel that CNAME record on the DNS. By monitoring the DNS records of potential targets, attackers can spot when mistakes like this happen.
An attacker can now spin up their own AWS virtual server and configure it to have the same internal AWS domain name as used in the victim’s previous project (eg random-server.europe1.elb.amazonaws.com). Now any web traffic directed to newproject.ea.com will end up on the server controlled by the attacker.
You can watch the demonstration of the attack in this video
