On November 23, Craigslist was hacked and taken offline—hours later, the popular site for finding everything from a job to a significant other still wasn’t loading for several people. On some of the local sites (i.e. Miami.craigslist.org, Dallas.craigslist.org, etc.), visitors are being redirected until the mess is fully sorted out, but that “redirecting” mirrors the hack itself. Just days before Black Friday (also known as the weekend people start scouring Craigslist for holiday deals being re-sold for small profits), CL users were redirected to “Digital Gangster” in what experts are calling a DNS hijack.
However, even the hack itself didn’t hold for long. CL gets an absurd amount of traffic, and that sheer volume rendered Digital Gangster itself inaccessible. If the name sounds familiar, it might be because Digital Gangster(s) were behind the notorious 2009 Twitter Hack or the time Miley Cyrus’ photos were stolen from her Gmail back in 2008.
The day of the CL hack, the site’s domain registration name was changed to “steven wynhoff @ LulzClerk”, which is a Twitter account that’s been suspended. While Wynhoff does in fact have a good Twitter account, it hasn’t been active in two years. Since then, the domain record has been corrected but CL is still offline. If it turns out that it really is a DNS attack, it might be hours before everything is up and running again.
The good news is that DNS hacks aren’t that complicated and rarely is customer data breached. Plus, as far as CL goes, any customer data would be sparse at best. The only possible threat to customer security breaches might be with usernames and accounts for the forums, but there’s no personal data stored for those purposes.
According to Jim Buckmaster, CEO of CL, “At approximately 5pm PST Sunday evening the craigslist domain name service (DNS) records maintained at one of our domain registrars were compromised, diverting users to various non-craigslist sites. The issue has been corrected at the source, but many internet service providers cached the false DNS information for several hours, and some may still have incorrect information. If you are unable to reach the craigslist site, please ask your network provider or tech staff to flush all *.craigslist.org and *.craigslist.com entries from their DNS servers.”
How Does DNS Hijacking Work?
This happens when an override is made to a computer’s TCP/IP setting, sending it to a DNS server that’s rogue. It makes the default DNS setting invalid. The job of a DNS is to take a user friendly domain name like craigslist.org and translate it from its IP address. Every website has a DNS server, which is managed by an internet service provider (ISP). Computers are all defaulted to use the DNS server via the ISP.
However, if a hacker get access to a computer, changes the settings of the DNS, and ensures your computer now uses a rogue DNS that the hacker is controlling, that’s when a hijack occurs. Then, the rogue DNS can take the domain name and match it with malicious IP addresses. Users type in a website, such as craigslist.org, and they’re redirected to a fake website.
Most DNS attacks are fairly harmless to the users, but it can be used for “pharming”—such as when the fake website is full of pop-up ads and spam that help drum up revenue. It can also be used for phishing, where the fake site looks like the real one to get information like bank account numbers (of course, for Craigslist, a phishing scam probably wasn’t the goal given the lack of sensitive information shared on the site).
Craigslist Lessons Learned
Usually, DNS hijacking takes place from “Trojans”—these malware programs are usually shared as video or audio downloads. It’s why a website that dishes up free downloads should be approached cautiously. In order to avoid a DNS hijacking, only download from trusted sites, change your router password regularly, and make sure a solid antivirus program is installed and maintained.
We may never know how exactly the hackers got into Craigslist, but it was likely due to poor downloading decisions or sheer laziness (like not changing the router password for a year would be my guess as once you’re on a companies network, things like this are easy as you’re on their IP). Craigslist probably won’t want to publicly admit that an employee was downloading cat videos from a malicious site while on the job or that they let their antivirus software expire. However, it serves as a reminder to follow best safeguarding practices and that even a site that collects no in-demand data (like bank account numbers) can become a DNS hijacking victim.