[ISN] Attackers protesting Superfish debacle hijack Lenovo e-mail, spoof website

http://arstechnica.com/security/2015/02/attackers-take-control-of-lenovo-com-hijacking-e-mail-and-web-servers/ By Dan Goodin Ars Technica Feb 25, 2015 Almost a week after revelations surfaced that Lenovo preinstalled dangerous ad-injecting software on consumer laptops, attackers took complete control of the company’s valuable Lenovo.com domain name, a coup that allowed them to intercept the PC maker’s e-mail and impersonate its Web pages. The hijacking was the result of someone compromising a Lenovo account at domain registrar Web Commerce Communications, and changing the IP address that gets called when people typed Lenovo.com into their Web browsers or e-mail applications. As a result, the legitimate Lenovo servers were bypassed and replaced with one that was controlled by the attackers. Marc Rogers, a principal security researcher at content delivery network CloudFlare, told Ars the new IP address pointed to a site hosted behind his company’s name servers. CloudFlare has seized the customer’s account, and at the time this post was being prepared, company engineers were working to help Lenovo restore normal e-mail and website operations. “We took control as soon as we found out (minutes after it happened) and are now working with Lenovo to restore service,” Rogers said. “All we saw was the domain come in to us, at which point we took immediate action to protect them and their service.” Rogers went on to say the unknown attackers posted MX mail server records that allowed them to read e-mail sent to Lenovo employees. The fraudulent records have since been removed. Rogers’ account is consistent with an image posted by the LizardCircle Twitter account. The image showed an e-mail sent by an outside PR person to several people inside Lenovo’s PR department. […]