Lenovo.com hijacking made possible by compromise of Webnic registrar

Lenovo simply can’t catch a break. After the massive negative attention it received for their ill-advised decision to ship some of its notebooks with pre-installed adware that also uses MITM SSL certificates, for a short time on Wednesday their main domain – Lenovo.com – has been hijacked and effectively defaced by the hacker collective Lizard Squad.

The defaced page showed a slideshow of photos of two youngsters – according to Brian Krebs, they are Ryan King (aka “Starfall”) and Rory Andrew Godfrey (“KMS”), two former members of the hacker collective Hack The Planet – accompanied with music. The reason for the defacement is purportedly Lenovo’s Superfish blunder.

The defaced page pointed to Lizard Squad’s Twitter feed and served as an advertisement for its LizardStresser DoS service.

The hackers didn’t compromise Lenovo’s servers. Instead, they (apparently) compromised those of Web Commerce Communications (Webnic.cc), a popular Malaysia-based Internet registrar with whom the Lenovo domain is registered.

This allowed them to change Lenovo.com’s nameserver settings to point at CloudFlare’s DNS servers, and from the to their page hosted at Digital Ocean’s Netherlands data center. Luckily, CloudFlare was fast to notice the fact, and moved, along with Lenovo, to resolve the issue.

Unfortunately, for that short time that Lizard Squad had control over the domain’s DNS and the domain itself, they also were receiving all emails sent to the company, as evidenced by this tweet.

Lenovo has acknowledged the attack, and said they were investigating the matter. The company website is again accessible to users. Webnic.cc is still down at the time of publishing of this article.

This attack mirrored the one against Google’s Vietnamese domain from a few days earlier. According to OpenDNS, both sites used the same registrar, and both redirects used Cloudflare to obfuscate the IP address of the destination server and to balance the traffic load to the website.

“Two defacements in a single week is normally nothing, but two extremely high-profile defacements from the same registrar in the same week is a definite trend. We may see more redirections of domains that were registered with Webnic.cc in the coming days,” commented Andrew Hay, director of security research at OpenDNS.




Share this