Attackers protesting Superfish debacle hijack Lenovo e-mail, spoof website

Almost a week after revelations surfaced that Lenovo preinstalled dangerous ad-injecting software on consumer laptops, attackers took complete control of the company's valuable Lenovo.com domain name, a coup that allowed them to intercept the PC maker's e-mail and impersonate its Web pages.

The hijacking was the result of someone compromising a Lenovo account at domain registrar Web Commerce Communications, and changing the IP address that gets called when people typed Lenovo.com into their Web browsers or e-mail applications. As a result, the legitimate Lenovo servers were bypassed and replaced with one that was controlled by the attackers. Marc Rogers, a principal security researcher at content delivery network CloudFlare, told Ars the new IP address pointed to a site hosted behind his company's name servers. CloudFlare has seized the customer's account, and at the time this post was being prepared, company engineers were working to help Lenovo restore normal e-mail and website operations.

"We took control as soon as we found out (minutes after it happened) and are now working with Lenovo to restore service," Rogers said. "All we saw was the domain come in to us, at which point we took immediate action to protect them and their service."

Read 6 remaining paragraphs | Comments