Amazon, Apple and Microsoft vulnerable to ‘domain jacking’

Apple logo
An expired Apple domain was hijacked by a cyber security researcher, along with several others that were owned by top technology giants Credit: PA

Amazon, Microsoft and Apple have left themselves and customers vulnerable to hackers conducting a “domain jacking” attack, The Daily Telegraph can reveal.  

Poor cyber security measures allow fraudsters to hijack subdomains that companies have either forgotten about or misconfigured and use them to impersonate their brand name to lure unsuspecting customers to spoof websites in an attempt to extract their financial details or install spying software on their device.

This includes an Apple support website, which was created to help customers to arrange appointments to fix their mobile phones. 

A security analyst at Israel-based CyberInt was able to take over the subdomain and register it a phishing site that would redirect to apple.com in a proof of concept.

An Amazon website created to host pictures used by buyers and sellers on Amazon.com was also vulnerable to attack. A misconfigured Microsoft Cloud Services domain was also discovered.

Samsung phone
A customer or employee could be lured into sharing personal or financial details in a phishing attack using hijacked subdomains Credit: Bloomberg

This could be used by attackers to send phishing emails to Microsoft workers and direct them – using the hijacked domain – to what looks like an official internal website. 

Someone trying to crack into the business and retrieve passwords for other systems could attempt to fool them into exposing log-in details or confidential information.  

The failure to keep control of subdomains appears to be a prolific problem among the world’s largest companies. Organisations with vulnerable subdomains comprise 25pc of the Fortune 500, including a major global telecoms company that provides several businesses’ apps and website domains, CyberInt found.

Itay Yankovsky, the CyberInt cofounder said: “Unless they address the problem immediately they risk brand damage, a massive loss in consumer confidence, a potential loss of investor confidence and swingeing fines form the EU for failing to secure their subdomains properly.”

It comes just days after Dixons Carphone admitted 5.8m customer bank card details and 1.2m personal data records had been hacked in a major cyber attack that took the business a year to discover. 

Most of the cards were protected by chip-and-PIN, however 105,000 can be used without additional verification. 

It is the firm’s second major breach after suffering a similar theft in 2015, where an attacker made away with the data of three million Carphone Warehouse customers and some employees. 

License this content