UNESCO, Red Cross, Siemens, Xerox, and 3M, etc. are also in the list of compromised subdomains.
Cybercriminals have hijacked more than 240 websites, which belong to some of the most prominent organizations and brands worldwide, primarily to redirect users to download unexpected content such as malware, malicious Chrome extensions, online gambling, and adult content.
The reason these websites were hijacked so easily was the way Microsoft Azure cloud was hosting them.
Some hijacked websites are household names including Warner Bros., UNESCO, Toshiba, XEROX, Getty Images, Red Cross, Volvo, Honeywell, Hawaiian Airlines, Clear Channel, Siemens, Autodesk, Arm, 3M, the NHS, and Total, etc. (Full list is available at the end of this article).
See: SMS & personal data of millions of Americans hosted on Microsoft Azure leaked
The hijacked domain names were reported by Zach Edwards, who notified Microsoft and the affected companies/organizations about the issue in June. Edwards, the co-founder of analytics firm Victory Medium, initially informed university and government organizations and then the rest of the companies.
According to Edwards, most of the subdomains were taken over by a single group, which he believes is active for five years. As per his analysis, this group has the support of an international criminal gang, and the group is much sophisticated than expected.
“It’s clearly automated: they have hit tons of organizations, and uploaded tons of malware. I’ve warned a bunch of organizations that their biggest fear should be this legacy group partnering with some other group that is more destructive,” Edwards told The Register.
Furthermore, Edwards assessed that the hackers try to hide their presence after hijacking a subdomain, for which they make the root URL to show a “coming soon” or the 404 error message. Around 20% of the subdomains he reported were shut down.
However, the bigger problem is that the website’s DNS entries are hijacked mainly because of how Azure cloud was hosting them. It has been a common issue with websites hosted by Azure Cloud.
NEW: Epic Games ignored an epic subdomain takeover on their authentication domain by a criminal credit card skimming / user phishing group "PickaFlick" that has been operating for ~19 years – then Epic issued a $1 million bounty via a Tweet… 👀⚖️🤖https://t.co/whyfwQjfsn pic.twitter.com/cJIzg0e2QS
— Zach Edwards 🔗infosec.exchange/@thezedwards (@thezedwards) May 20, 2020
List of compromised domain shared by Edwards are as follow:
Hackread.com advises readers not to visit these domains as they have the potential to infect your device with malware.
360stage.stahls.com analytics.glamst.com b2btdc.pandora.net beta-invited.slh.com ccc.blockshipping.io champions-d-content.generalmills.com chat.celcom.com.my cine.naturgy.es cloudpilotsg.cloudatlasinc.com costwell.chevron.com demo.booktrack.com drweb.commscope.com elevate17.bittitan.com eperfectlaunchdev.optum.com farmtoschoolmap.georgiaorganics.org findyourstyle.fisherpaykel.com game.autoshow.ca gifts-uat.unrefugees.org.au greathallcontacts.flydenver.com hippotalk.total.com devagileblog.acuitybrandslighting.net devoddsapi.wallstreetenglish.com dvsm-uat.gsk.com es-stgics-avm.jll.com returns.americas.pandora.net www.iknow.dr.cch.com.au m.macaronigrill.com map.carlgross.com mobile-beacons.clearchannel.co.uk mobile.hullcitytigers.com mobile.stratasys.com old.deleteagency.com oneanalytics.capita-one.co.uk partners.honeygroup.co.uk pay.willassociates.co.uk peerwatch.complianceweek.com portfolio.theglobalfund.org ppkpi.cbre.com prdmarep.udtrucks.com prod.vallen.ca production.go-dove.com pwcs-grants.pwcs.edu recommendations.govx.com secure.openenergymarket.com sfgateway-prod-east-api.carmax.com sportsfirstaid.redcross.org.uk sso-api-poc.mybswhealth.com stage.cleanwithkeystone.com staging.auth.idahopower.com stagingcms.johnsoncontrols.com storetool.albertsons.com storetool2.albertsons.com ticari.mercedes-benz.com.tr fly-tracking.volvo.com wiki.gibson.com wine.mydexrewards.com wisent.mitt.ru wisent.mosbuild.com www.app.ahvoila.com www.sensformer.cloud.siemens.com xlcatlin.leopard-np.swissre.com trace.accenthealth.com linode.hki.org advanced.core.freeflow.xerox.com nucleus.robomateplus.com quantumleap.pason.com un1cdp01.uno.adt.bms.com booking.ramadadowntowndubai.com login.ec.co b2b.absoluteboardco.com pfp-int.az-bots-gre-projets.viseo.com dashboard.adsninja.com scm.ordermanagement-test.maersk.com maps.foundationcenter.org www.thevillagesatpinevalley.com itpolicies.ycp.edu www.summary.batransfer.com chat.fnv.nl dev-cd-infocenter.ryder.com myob-multi-dc-sit-singapo-cfs-v1.myob.com www.loveisajourney.proflowers.com www.satisfaction.darty.com internationalservicesstage.rrd.com detectionapp.3m.com pspapimgmt-test.premera.com b2bapi-service-acc.snelstart.nl aem.herbalife.com v2.basic.net usersapipre.vertele.eldiario.es onespie.spie.de applications.wirralccg.nhs.uk beta.pksinvest.com site.chopup.me tevatogostgrw.tevapharm.com thweb-azure.teknikhuset.se nexarc1service.kemin.com ohmy.disneylatino.com sccmclouddp.providence.org sitgbapi.globalblue.com qcsampler.genpact.com geaux.lsufoundation.org apps.technologydev.ihs.com storelocator.dtc.newbalance.com football.swisslife.ch inflightentertainment.sas.no connected.virginaustralia.com inhabit-portal.arkadium.com beta.auic.org iot-accelerator-dev2.ddm.iot-accelerator.ericsson.net api.elfcosmetics.com accessderm.aad.org cmclouddpsgsin.autodesk.com search.us.epg.toshiba.com uoncmgtst.newcastle.edu.au blog.codercamps.com v3-dev-gpe-application.gpebcnonprod.cloud.ntrs.com members.i.playboy.com zew-api.travelport.com aicpasccm.aicpa.org smartusw-sts.gep.com hatchery.entrepreneurial-spark.com bmsazure.elas.uk.com referencement.levio.ca iq.aecom.com a.eage.org poc9.icertis.com uat.ovhq.msc.com tibco-service-dev.usga.org icqa.skillsinsight.honeywell.com members.ussvi.org associate.myfortisonline.com acdadmin-tng.aia.org demo06.mediusflow.com myaccount.scottish-enterprise.com nw-b.ecolab.com members.dotnetfoundation.org automation.pg.com mclambda-devtest.cpsextsandbox.mayo.edu dev.forsyteit.com testazure.drivetime.com ve-service.genecards.org ahbeardweb.microsoftcrmportals.com wordpress-itec.azurewebsites.net qa.api.sapaccess.warnerbros.com stpaul.partnerinhousing.com dashboard.boostup.com docs.cms.orckestra.com ecmcmg.broadinstitute.org cms.facilitiessurvey.com dev1.mdlive.com aauw-ampostdoc.scholarsapply.org tge.tradeglobal.com mobile.apply4housing.com my.disciplesmade.com quote.model.healthmarkets.com dev.connectedservices.emerson.com connect.atslab.com training.trin.net stgwww.ispeedyloans.com mossupport.mcd.com prepd-sitecore.solr.arm.com spaspera.cloud.jci.com uopxcmg2.phoenix.edu staging-consulting-covid19.euromonitor.com mail.somersetcm.com dev.salesforce.integration.plex.com full-service-suite.ch cart.perseusacademic.com testwebservices.hawaiianairlines.com timesheets.cfed.org library.inthehand.com www.rmspecialstamps.com sessions.digitalwpc.com staging.ecofastensolar.com innovapulse.innovasi.com uk.ziraat.turkline.com rldp.redlobster.com test-cbreitp.intrepid.cbre.com go.daymarksi.com test.lark-it.com dynamicsac.perficient.com voyager-dev.kindred.com acsdonateadmintrain.cancer.org prixmnbawards.musicnb.org nlgsccmconnect1.nationallife.com create.cakesbyron.com www.mitanorifusa.com dev-oms-logistics.pvh.com sts.hgem.com gettyclouddp1.gettyimages.com training.iverson.com.my secure.web.powerapps.com cb.us.stg.cloud.im press.desigual.com architectuur.cibg.nl myusa.veinteractive.com qa.boh.com xlcatlin.leopard-np.swissre.com v3-qa-gpe-application.gpebcnonprod.cloud.ntrs.com blog.washingtonstem.org apps.invictusgames2017.com test.scandichotels.de sccm-dp.acuitybrands.com fnmaxcmgdp.fanniemae.com survive.infocomm.org op.elfcosmetics.com leprdsccmdistpteuwest.lincolnelectric.com cms.answersmediainc.com cloudsolvportal.synnex.com uatstandby-www.cushmanwakefield.com emergencyresponse.bristowgroup.com thor.mdlive.com clouddp01.lamresearch.com autoattendantservicesqa.incontact.com microsoft.icertis.com devpmforecaster.cbre.com tastings.neudesic.com b2bws.julian-fashion.com apimcustomapi-dev.azure.chevron.com analytics.donorperfect.net ecom-qa-nl.bambonature.com s-sccmdp-cloud01.loandepot.com tra.g4s.com remote.packtech.dk qaappcenterng.deloitteresources.com apps.fullertonhealth.com smoke1.remix3d.com onesiteportal-stage.rrd.com cdn02.empiretoday.com easishare.bruker.com football.swisslife.ch seminario.iipe.unesco.org cityofcalgarycmg.calgary.ca dailysales.brownjordan.com staging.capturetech.com media.antenna.gr doc.bootes.co am.us.rothschildandco.com candidate.responsivehr.com lti.intelequia.com api.longbow.bonusxp.com tuap.teamusa.org rss-prototype.bd.com
Did you enjoy reading this article? Do like our page on Facebook and follow us on Twitter.
