Spear-phishers grab emails from internet overseer ICANN

Spear-phishers managed to lure several employees at the Internet Corporation for Assigned Names and Numbers (ICANN) to give up their login details, the organisation said in a release published on Tuesday.

ICANN, which oversees the internet’s address system, said that starting late last month, the attackers crafted email messages to look like they came from within its own domain which “resulted in the compromise of the email credentials of several ICANN staff members”.

This suggests that several targeted employees clicked on a rigged link that took them to a bogus login page, where they dutifully typed in their usernames and passwords.

With that login info, the crooks not only got the keys to the workers’ email accounts, but also got access to the Centralized Zone Data System (CZDS).

That included copies of the zone files in the system, as well as user information such as names, postal addresses, email addresses, fax and telephone numbers, usernames, and passwords.

Thankfully, those passwords were stored as salted cryptographic hashes. Nonetheless, ICANN deactivated the passwords, just to be safe.

CZDS users will have to request a new password at czds.icann.org.

The intruders also managed to get into user accounts on two other systems, the ICANN blog and the ICANN WHOIS portal, but ICANN says that it has not detected any impact on either of those systems.

Is it disturbing that a company with so much control over the internet proved vulnerable to an attack like this?

Oh, yes. It shouldn’t have happened. But it could have been much worse.

If the crooks had been able to modify DNS zone data – to alter the global directory of which sites are where on the internet – then that would indeed have been catastrophic.

Fortunately, it seems that all the attackers got access to was a read-only database, which allowed them to look at zone files and registration details, but not actually to change anything.

ICANN says that earlier this year, it began to overhaul security on all ICANN systems and suggests that the enhancements helped limit how far the attackers could get in this breach. Since discovering the attack, it’s also bolstered security still further, it says.

So, at least from what ICANN is telling us, it sounds like security weaknesses got addressed just in time.

Thank goodness for proactive security work!