Attackers exploited poor DNS hygiene at the U.S. Centers for Disease Control and Prevention (CDC) to deliver malicious content disguised under the CDC’s trusted domain. The attack was discovered when users searching for English Premier League match streams encountered links that appeared to be from the CDC but actually led to scam sites, scareware, and malware. This was made possible through "dangling CNAME records"—a type of misconfiguration where the CDC retained DNS alias records pointing to a decommissioned Azure-hosted app. Once Microsoft released the underlying domain, a threat actor claimed it and hosted malicious content, which search engines then indexed due to the high reputation of the CDC’s domain.
The attackers used this reputation to manipulate search rankings, making their malicious links more visible and credible to users. By hosting harmful content on a subdomain of cdc.gov, they could potentially distribute malware, steal cookies, run phishing campaigns, or even issue SSL certificates for further impersonation. Investigation revealed that the malicious content was funneled through a Traffic Distribution System (TDS), masking the attacker’s identity and redirecting users to dangerous destinations. The TDS is suspected to be operated by a Russian actor active on the dark web.