Nov 28, Babygear-USA
As part of an ongoing support agreement with Babygear-USA® we perform monitoring and respond to security events.
In late November we received information related to domain name services alteration and potential changing of name services provider. As their ISP have recently been the target of web site hijacking we decided to perform a more detailed investigation.
- Our client received an "invoice" from registry trolls. This carefully worded "invoice" was for registry services. This was a letter, although it looked like an invoice to our client, simply trying to trick them into transferring their domain name to their more expensive service.
- A check of the web site source files was performed to verify that no changes had been made to the site. Also, the dynamic page content from the database server was also verified to match the existing known good content.
- Their ISP had a publicized security breach and checking of the web site's administrative access was required. All user account activities and access were normal (logs are stored externally to the site and not accessible to the users). The hosting account activity was also verified as uncompromised (and checked against a list of known compromised account names).