Skip to main content
Information Security

Return to Revisions

3 of 10
deleted 15 characters in body
Imran
Imran
  • 1k
  • 2
  • 8
  • 9

Did I just get DNS Hijacked?

I went online on my Macbook today and noticed my iTunes complaining that it couldn't connect to Apple, I tried logging out and in of my account but weirdly it said it couldn't login; I didn't think much of it at first as I thought maybe it was iTunes just being more buggy than usual.

However then I noticed something really weird, when I tried to visit www.apple.com my browser warmed me (Google Chrome) saying this website was not secure. This started ringing alarm bells in my mind, when I clicked "Continue Anyway", I was greeted with this page:

Apple Phishing

Being (somewhat of) a web designer/developer I pay attention to a lot of details on a website and I knew instantly this was not what the Apple homepage looks like, and they certainly didn't prompt you to login on their homepage. I dug in a little deeper to the source code for the page and could see that the source code was wayyyy to simplified for a large corporation, the only piece of JS was to verify that the email address was in the right format.

I began to suspect maybe my Mac machine had been infected, so I switched to my iPhone and tried www.apple.com and got shown the exact same page, to me this sounded like something to do with DNS as the chances that both my devices were infected were very unlikely, I then turned to my router to have a look at its settings.

Low and behold when digging into the DNS settings I could see that the settings looked a little odd, I had initially set my DNS settings to use Google's services (this was set many years ago mind) but I knew the were something along the lines of 8.8.*.*.

In my settings however I found the following IP's:

Primary: 185.183.96.174 Secondary: 8.8.8.8

I knew straight away that the DNS had been changed. No one has access to my router administration page aside from me on the network, and I have disabled access to the router outside of the local network. The primary address should have been 8.8.8.8.

My question is how could the DNS of been changed? and what can I do to prevent this from happening again?

I try to keep my router firmware up to date (although I was maybe 1 release behind in this case).

More about the phishing host:

Before I changed the Primary DNS setting back and I wanted to find out more about this phishing site, so I decided to do a ping apple.com to find the IP address was 185.82.200.152.

When I entered this into a browser I could see that the person had actually created a number of sites, they must be based in the US, I don't believe Walmart operates outside of the states (at least not in the UK).

phishing server directories

Imran
  • 1k
  • 2
  • 8
  • 9