Podcast cover titled "Script Kitties Get Clawed! Hackers Hacked by Hackers" for Episode 199 of "Breaking Badness," featuring Tricia Howard and two others smiling. The show's logo sits in the top-right corner of the black-and-white photo.
Podcasts

DNS Errors and Malware Builders Turning on Attackers

In this episode of Breaking Badness, we analyze two fascinating cybersecurity incidents that expose both corporate misconfigurations and hacker missteps. 

DNS Errors: Security researcher Philippe Caturegli discovered a typo in MasterCard’s DNS records, which left the company open to traffic hijacking and data exposure. This long-overlooked flaw, dating back years, could have been exploited by attackers to redirect users, intercept data, and manipulate services.

When Hackers Get Hacked – The Script Kiddie Trap: In a turn of events that underscores the “no honor among thieves” trope, a threat actor baited low-skilled hackers (script kiddies) with a fake malware builder. Instead of gaining hacking capabilities, they unwittingly installed a backdoor on their own machines, allowing the original attacker to steal their data and take control of their systems.

DNS Errors: The Sitting Ducks Attack 

What Happened? 

Security researcher Philippe Caturegli discovered a typo in MasterCard’s DNS settings, where a misconfigured subdomain pointed to an unregistered domain (Akam.ne instead of Akam.net). This mistake went unnoticed for years, potentially allowing an attacker to: 

  • Intercept sensitive traffic 
  • Redirect users to malicious sites 
  • Monitor and manipulate data flow 

How Was It Discovered? 

Philippe purchased the unused .ne domain (a ccTLD from Niger) to test its potential impact. Due to round-robin DNS settings, his new domain started receiving traffic meant for MasterCard’s Azure cloud services. This proved that a cybercriminal could have hijacked MasterCard’s traffic and data.

Key Takeaways 

  • Historical DNS records should be audited regularly to prevent domain hijacking
  • Misconfigured cloud services can introduce severe security risk 
  • Typos in DNS records can have critical security implications – the “sitting ducks” problem

Resources 

Read Brian Krebs’ coverage on DNS misconfigurations

When Hackers Get Hacked: The Script Kiddie Backdoor Scam

What Happened? 

A threat actor lured low-skilled hackers (script kiddies) into downloading a fake malware builder. Instead of getting a functional hacking tool, they unknowingly installed a backdoor that: 

  • Stole their credentials and personal data 
  • Gave the attacker remote control of their systems 
  • Allowed the attacker to exfiltrate sensitive information

How Was the Attack Carried Out? 

The malware disguised itself as Xworm, a well-known Remote Access Trojan (RAT). However, when script kitties tried to use it, the software: 

  • Installed a hidden backdoor instead of a hacking to 
  • Sent data to the attacker via Telegram C2 (Command & Control 
  • Allowed remote exploitation of infected machin

How It Was Stopped 

Cybersecurity researchers disrupted the malware’s kill chain by: 

  • Identifying unique victim IDs through Telegram lo 
  • Pushing an uninstall command to remove the malware from infected machin

Key Takeaways 

  • Even cybercriminals need to be cautious about their download 
  • Telegram is increasingly used as a C2 infrastructure for cybercrime 
  • Security researchers can sometimes turn the tables on attack

Read CloudSek’s full report on the fake malware builder

Watch on YouTube


That’s about all we have for this week, you can find us on Mastodon and Twitter/X @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!