Hackers involved with an Indonesian online casino appear to have taken over a subdomain on the website of Wired — and squatted there for several months.
In other words, the venerable tech magazine — which has made innumerable contributions to the coverage of online security over its decades of existence — seemed either unaware of the squatters or unable to kick them out.
Innovation Insights — located at the subdomain insights.wired.com, which will become relevant soon — was once a “community blog” run by the Condé Nast-owned Wired, in what seems to have been an approximate answer to the contributor networks run by Forbes and HuffPo. It launched with a splash back in 2012, but seems to have fizzled out by 2015, when its editor announced in a now-archived post that it was “taking a break.”
The blog never reappeared, but the long-dormant subdomain sputtered back to life late last year.
In late October of 2022, an archived snapshot shows that the subdomain suddenly became a placeholder-looking fashion blog called “WiredNext,” with posts about Copenhagen Fashion Week and advice about how a “black leather bag is always trendy.” Here’s what it looked like at the time:
WiredNext didn’t last long, though. By the Internet Archive‘s next snapshot, on December 4, it had attained its apparent final form: an extraordinarily sleazy site that appears to be advertising the services of an Indonesian online casino. Here’s what it looked like:
Now, let’s be clear. It’s not the fault of the talented journalists and editors at Wired, who have produced much the best cybersecurity writing of the century, that unauthorized tenants set up some sort of sordid gambling den on a prominent part of their publication’s site.
But it is arguably very funny, especially because Wired‘s tech team seemed to struggle to seize the subdomain back. The casino-fied version of Wired Insights appears to have been live for nearly two months without attracting much attention, and it’s unclear whether anyone at Wired was even aware of the takeover until we reached out with questions yesterday (they never wrote back.)
We first reached out about the strange subdomain yesterday morning. It stayed live all day, but by this morning it was gone.
If it sounds surprising that miscreants were able to take over the subdomain of one of the internet’s most storied tech outlets, cybersecurity expert Joseph Steinberg tells us that maybe it shouldn’t be.
“These are sophisticated, professional, trained people who are doing this,” Steinberg told us. “They understand the vulnerabilities and they understand how networking actually occurs, how routing actually occurs.”
He says that what almost certainly happened is that clever hackers hijacked Domain Name Service (DNS) records, which are basically a naming system that translates easily readable domain names like wired.com — or insights.wired.com — into machine-readable IP addresses.
“Somebody has gone into DNS records,” Steinberg said, “and has pointed it somewhere else.”
In particular, Steinberg suggested the hackers may have used “domain shadowing” to hijack Wired‘s DNS, a phenomenon that experts say has gained significant traction in recent years. Basically, according to Bleeping Computer, it’s an attack in which “threat actors compromise the DNS of a legitimate domain to host their own subdomains for use in malicious activity but do not modify the legitimate DNS entries that already exist.”
It’s “not a new form of attack,” Steinberg said, but one that’s still managed to evade improving security protocols.
As to why they may have targeted Innovation Insights? That may be a clue as to the hackers’ motives as well.
Subdomains of otherwise trustworthy entities — like Wired — make for a particularly sought-after target for DNS hackers. And if it was a subdomain that already existed, and hence has already worked its way into Google’s map of the web? Even better.
“If I’m a criminal, and I register bobsmith.wired.com, and it never existed, and somehow hacked the DNS to put it in, then it’s a new subdomain, so I may pick up some credibility from the fact that it’s a subdomain off of Wired,” he wrote. “But if it’s an old site, then for sure, I’m gonna get credibility, because it probably has many things linking to it already.”
In other words, it’s likely a search engine optimization play: the hackers are hoping that Google’s web crawler will see a page on Wired, a domain with high authority, pointing to the casino and assume that it should rank well in searches.
“These are all attempts to use somebody else’s brand name, somebody else’s infrastructure that was created in the past, someone else’s SEO benefit from content they created, somebody else’s credibility,” Steinberg said.
At the end of the day, he says, it’s just the latest example of how the web is strung together on ancient systems that have been updated in a haphazard manner. Vulnerabilities slip through, and even a company with the immense resources of Condé Nast can get taken.
“I mean, the systems that manage the infrastructure of the internet were not created with security in mind, right?” Steinberg asked. “It was created for universities and researchers, who are still using the same systems.”
“Yes, they’ve been amended and added on and all that, but the inherent design of the internet was not made for this,” Steinberg said.
More on cybersecurity: The TSA’s Entire No Fly List Appears to Have Just Leaked