Turkish attackers compromised DNS provider NetNames to redirect traffic from more than 186 Websites to a different page and proclaimed "hacking is not a crime."
Attackers changed the
Internet routing information on major Websites to redirect users to different
pages over the weekend, affecting dozens of companies, including Microsoft, the
United Parcel Service and computer producer Acer.
Visitors to the affected sites
on Sept. 4 were shown a black page with a message that read in part,
"Hacking is not a crime...We TurkGuvengligi declare this day as World
Hackers Day - Have fun." Guvenligi is Turkish for "security."
It's not yet known whether a lone attacker or a group performed the redirects.
The attackers had breached
the servers belonging to NetNames, a company that provides Domain Name System
services to various Websites. DNS records are like entries in a telephone
directory, with host names translated into actual IP addresses. Attackers
managed to change the actual directory entries to point the host names to IP
addresses under their control.
"It's important to note
that the Websites themselves have not been hacked, although to Web visitors
there is little difference in what they experience-a Web page under the control
of hackers," Graham Cluley, senior technology consultant at Sophos, wrote
on the Naked
About 186 Websites appear to
have been affected, according to Zone-H
a site that tracks Website defacements. The list of affected organizations
included Coca-Cola, Interpol, Adobe, Dell, Harvard University, F-Secure, Secunia, UPS, the United Kingdom's The Register
and The Daily
Acer, Betfair, Vodafone, French automobile brand Peugeot, and
the National Geographic.
country-specific Websites for Microsoft and global bank HSBC were also
targeted. Their DNS records were modified to point to multiple name
servers at "yumurtakabugu.com." The domain name resolved to an IP
address owned by hosting provider Blue Mile, according to the DNS record.
Turkguvenligi used SQL
injection, a technique in which commands are entered into a form on a Website,
such as log-in boxes and comment fields. If the site did not properly handle
text entered into the form, it would pass them to the back-end server and
database and execute the commands, giving attackers information they should not
be able to access. Turkguvenligi submitted a redelegation order into the
NetNames system late in the evening Sunday to change the address of the master
DNS servers, according to a statement to customers from NetNames.
"The rogue name server
then served incorrect DNS data to redirect legitimate Web traffic intended for
customer Websites through to a hacker holding page branded Turkguvenligi,"
The company reversed the
changes within hours, but since servers generally cache DNS records, it took awhile
for the corrected information to propagate, leaving users unable to access the
sites. It appears that Turkguvenligi managed to compromise at least one account
on the NetNames system through the attack. The accounts have been disabled to
prevent future attempts, NetNames said.
Turkguvenligi could have
caused more damage than defacing pages. With the DNS record modified, it would
have been a simple matter for attackers to put up a cloned site and harvest log-ins
and password information, especially on affected banking sites. Users would
have seen the correct URL in the address bar and would not have been able to
tell they were being phished.
confirmed that the attack did not breach the actual sites. "As
far as we can tell, there was no attempt to penetrate our systems," wrote Drew
on the site, but the publication shut down all services that
required a password as a precaution.
DNSSEC, a security measure
now being deployed by many registrars to guard against DNS tampering may not
have prevented this kind of attack because the attackers submitted an actual order
to change the records on the provider level, Chester Wisniewski, a senior security advisor at Sophos, told eWEEK
DNSSEC uses public key
cryptography to digitally "sign" the DNS records for Websites, and attackers were able to sign new records using the NetNames keys, Wisniewski said. DNSSEC is
designed to stop attacks such as cache poisoning, where a DNS server, is compromised.It cannot protect against a DNS provider being compromised and signing false DNS records, he said.