NEW RESEARCH – On December 30, Fredrik Nordberg Almroth, security researcher and co-founder of Detectify – the Sweden-born cybersecurity company that offers a web vulnerability service powered by leading ethical hackers – found a vulnerability that left the country code top-level domain of the Democratic Republic of Congo, .cd, open to severe potential abuse. Fredrik bought a name server for .cd before any attacker could – by that preventing thousands of .cd domains from potentially being exploited. He reported the vulnerability and it was patched shortly after.

Image: Fredrik Nordberg Almroth, co-founder and security researcher at Detectify

Hijacking the top-level domain (ccTLD) of a sovereign state gives the owner control over an entire country’s domain traffic. The implications can be devastating if the domain falls into the wrong hands. A successful attacker could potentially redirect traffic to rogue websites, steal user credentials and use the domain name for phishing or spreading malware to millions of internet users, in ways that go undetected by the ordinary web browser.

Detectify co-founder and security researcher Fredrik Nordberg Almroth found that someone had failed to renew the domain scpt-network.com, used in directing traffic to .cd domains – the top-level domain of the Democratic Republic of Congo. Scpt-network.com was open for anyone to purchase, and Fredrik bought it before a malicious actor could get a hold of it. This granted him access to over half of the traffic to all websites within the .cd domain – including those for major international corporations and financial institutions.

Fredrik reported the vulnerability to the entity operating .cd, and it was fixed within days.

“This affects all .cd websites, and this domain is used by a population of 90 million people. Imagine if a malicious actor had taken control of it – they would have been able to eavesdrop on users, modify web traffic or distribute malware on a very large scale“, says Fredrik Nordberg Almroth.

How to prevent a hostile domain takeover

DNS hijacking involving the top-level domain of an entire country is rare but not unheard of. It happened to the ccTLD of the former Soviet Union (.su) and the Lenovo and Google websites for Vietnam (.vn) in 2015.

Hijacking can also happen on the subdomain level, affecting website owners. Having a good overview of the potential attack surface helps mitigate risk.

“The key is to detect any vulnerabilities faster than attackers, and fix them as soon as possible. Make sure to continuously monitor your domains for issues and use a tool that alerts you right away if anything is detected”, Fredrik concludes.

A technical report with full details on the hack is available on Detectify Labs.

For more information, please contact:

Fredrika Isaksson, PR Manager
[email protected]
+46 (0) 76 – 774 96 66

or [email protected]