Microsoft Victim Or Honeypot?

The Register, a reliable news source in the UK, reports that for the past 3 weeks, internet addresses belonging to Microsoft have been routing traffic to more than 1,000 fraudulent websites maintained by a group of Russian criminals.  131.107.202.197 and 131.107.202.198 — which are both registered to Microsoft — are housing dozens of DNS servers that help convert pharmacy domain names into the numerical IP addresses that host the sites.   The most likely explanation, they say, is that a machine on Microsoft’s campus has been infected with malware.

“In order to get the DNS zones entered in there, they must have pwned the box.”   There is the possibility that servers connected to Microsoft might be part of a honey pot that’s deliberately hosting the name servers so that researchers can secretly monitor the gang’s operations.  Another possibility is that the pharmacy operators have subscribed to some sort of managed service offered by Microsoft.  A Microsoft spokeswoman said she was investigating the findings and expected to provide a statement once the investigation was completed.

TheRegister

UPDATE:  Human error gave spammers keys to Microsoft systems  – Microsoft blamed human error after two Linux servers on its network were hacked and then misused by spammers to promote questionable online pharmaceutical websites and DoS a security blogger’s website.

InfoWorld

Advertisements