PPC Hijacking through DNS Cache Poisoning

The below document on PPC Hijacking from LURHQ Security Services is dated 2005-04-01, just over a year ago. Much of the document may be totally incomprehensible to some. It was a bit overwhelming for me until I printed it and then carefully studied each and every step they took to perform their tests.

As we are somewhat familiar with server headers and status codes, it was pretty amazing to see everything that was taking place in this particular instance of PPC Hijacking.

LURHQ Security SystemsPPC Hijacking Documentation from LURHQ

Do you manage a Pay-Per-Click Campaign? The following information from LURHQ is a must read for all search engine marketers and website owners alike.

"Search hijackers are not a new phenomenon; however, their purveyors are becoming more and more aggressive in capturing clicks from web users. Often, attempting to find the entity behind the hijack becomes an endless task of following layer after layer of obfuscation.

The incident in question involves DNS hijacking, and was widely reported in the beginning of 2005. The hijack was simple, and the vulnerability old and well known. It involved a rogue DNS server sending bogus authority records in a DNS reply packet, in which it claimed to be the authoritative server for all of the .com TLD. Vulnerable hosts would then direct queries for any .com sites to the rogue DNS server."

The below linked document from LURHQ dated 2005 April is a continuation of the 2005 March SANS DNS Poisoning Summary.


SEO Consultants Directory