Jan 08, 2023
Introduction
Here is a common scenario for those who deploy their web applications to Azure App Services or similar services.
- Deploy an application to Azure App Service and get an App Service hostname that looks something like mydomain.azurewebsites.net.
- You configure a custom domain in your DNS provider that points a CNAME for something like subdomain.mydomain.com to mydomain.azurewebsites.net.
- After some time, that project is no more and you are cleaning up your Azure resources. You delete the web application from Azure to save money. But you never deleted the DNS record for the custom domain.
Now imagine that years go by and that domain: subdomain.mydomain.com suddenly becomes alive again! Only this time, it is showing some scam website like the one below (blurred out).
The Quick Fix
The immediate step you should take is to login to your DNS manager and delete the CNAME record that is pointing to that Azure App Service. That will put an end to your domain pointing to that scam website. However, that might not be the end of the story for you.
If you are using tools or services that depend on domain verification via <meta> tag, such as Google Search Console for example, they may have added their scam site as a property on that domain in an attempt to boost SEO and search rankings. If you use any of these tools, you should log in to them and clean up any resources that they may have latched on to.
If you are using tools or services that depend on domain verification via <meta> tag, such as Google Search Console for example, they may have added their scam site as a property on that domain in an attempt to boost SEO and search rankings. If you use any of these tools, you should log in to them and clean up any resources that they may have latched on to.
The Attack Vector
We believe that people have written bots to crawl the web to identify domains that are pointing to Azure App Service, but error out because there is no app running at that CNAME of mysubdomain.azurewebsites.net. The attacker will then create a new web app on their own Azure account (or a hacked Azure account) using Azure App Services with the same hostname of mydomain.azurewebsites.net. Since your DNS records were never cleaned up, it is now pointing to the attackers website.
So take this as a friendly reminder to clean up your DNS records!
So take this as a friendly reminder to clean up your DNS records!
Zack Schwartz @apexdodge
ENTREPRENEUR & SOFTWARE ENGINEER, AUSTIN, TX
I enjoy tackling a wide array of business challenges ranging from front line product support and operations to sales and marketing efforts. My core expertise is in software development building enterprise level web applications.
I enjoy tackling a wide array of business challenges ranging from front line product support and operations to sales and marketing efforts. My core expertise is in software development building enterprise level web applications.