The customer that wanted to remain anonymous told The Register: “All 120+ domain names had been set to auto-expire; half were redirected to spurious locations and more than a third had compromised DNS, with additional DNS redirects to these ransom sites. I had to go through every single account, one by one, and check every setting. 123-reg, while trying to be helpful, didn’t do a thing.”
The problem was eventually resolved on 24 January, after he did all the work, but the customer was left dissatisfied by the whole incident, and in particular 123-reg’s handling of the problem. Apparently 123-reg support staff forgot to tell the customer when they found that the account had been compromised and then consistently ignored his support requests.
Most of the domain names were clients of the 123-reg customer. It was the clients that noticed that their domains were being redirected to a ransomware site on 21 January.
“Surfers who attempted to visit the affected sites were served malicious code which locked their browsers and falsely warned them they had been caught downloading images of child abuse, in an attempt to extort them into paying a “fine”.”
“In response to queries from El Reg on the matter, 123-reg spokespersons have stated that the company can’t as yet release details of its own internal probe into the matter as it has not received the permission of the customer to do that. However the company did say:
What we can confirm is at this point all indications are that 123-reg has had no compromise of its systems – but they are working to fully verify this. It appears the accountholder’s security has been compromised but not through 123-reg’s systems.”