SEO spam attacks may be common on compromised websites, as we cover them quite often. Yet it is complex and unique to shed light on a blackhat technique used to manipulate a WHOIS result for a domain name, as it is not a common occurrence.

“WHOIS” is a protocol used to determine who holds a particular domain name. Simply put, these records are available to all with the aim of creating trust online through the exposure of the name, address and telephone number of the website owner. However, if a website owner is interested in protecting their personal data, they will buy the WHOIS server protection service.

WHOIS Hack Server-A Simple Outline

A WHOIS service user recently got really upset about the changes in his data, as well as email notifications he received that included spam content. Research revealed that hackers had abused the domain expiration of customers by buying a previously legal WHOIS server. They then included arbitrary and illegal advertisements on this newly purchased old WHOIS server records from South Africa.

The .co.za country code is used in South Africa for a top-level domain official. A search for the location of the official client WHOIS server (CNAME whois.coza.net.za.) returned with nothing wrong. However, the changes made in the WHOIS log contained details of what had been done and this was where things got very interesting.

WHOIS Server Showed Spam Content records

The WHOIS change log showed a new set of spam links that were included on all email notifications outgoing. Although all the spam emails looked similar, at the end of each email there was a strong clue redirecting users to another site – “Why would queries go to whois.co.za instead of whois.coza.net.za?.”

Examining the WHOIS Server

Researchers ran a query right away to dig deeper into “whois victim-site.co.za whois: za.whois-servers.net:.”

You guessed it: the results indicated the issue had something to do with the domain name. Thus, performing a root cause analysis by installing Brew with an updated version of WHOIS 5.2.12 resulted in a different outcome where the client information was edited.

The results obtained paved the way for the real problem to be narrowed further!

Scanning Website for the Registry

When you visit the website of the WHOIS server – hxxp:/whois[.]co.za, it promptly redirected to the legitimate website, https:/www.registry.net.za/whois/ –.

However, it redirected to a completely different site when visiting hxxp:/www.whois[.]co.za, and numerous ads immediately began crowding the screen. Bingo! Bingo!

This proved that the domain whois.co.za – was hacked.

The DNS records were removed, and it showed that different servers had configured the bare domain and subdomain.

The whois[.]co hxxp:/. Za showed a clean version while hxxp:/www.whois[.]co.za was filled with the spam. Another WHOIS query was executed and this time it indicated clearly which server to use.

Ultimately, it was revealed that some hacker got access to the whois.co.za domain and replaced it on April 22nd. Customers have since begun receiving unsolicited advertisements in their notification emails.

WHOIS Server Modified

The problem lies with WHOIS versions older than 5.0.19. The whois[.]co.za domain in version 4.7.33 was removed in 2009. After the domain expired to submit ads a hacker capitalized by buying them.

On the other hand, when querying the co.za domains, WHOIS versions older than 5.0.19 will continue to display these messages. The issue was reported to registrar in South Africa.

Concluding

It ‘s crucial for all users to keep track of their WHOIS records and be sure the hackers don’t make any unauthorized modifications or vulnerabilities and their WHOIS server. If there are any more changes with the problem we will keep you updated here.