Google, Yahoo Among Sites Hit in DNS Attack Targeting Romanian Domains
The Romanian versions of Google and Yahoo were among the sites diverted Nov. 28 after a Domain Name System attack on the Romanian Top-Level Domain Registry (RoTLD).
The sites themselves were not hacked. According to security researchers with Romania-based security firm BitDefender, the attack appears to be the work of The Algerian Hacker Group, an organization incorporating almost 200 different teams of hackers that is also targeting DNS systems of other national top-level domains (TLDs).
The Romanian hack, BitDefender noted in a blog post, is the fourth incident in the past month, which has also seen DNS attacks on Ireland, Israel and Pakistan TLDs.
"[Wednesday's] attack managed to poison DNS cache servers of all Internet Service Providers, including the Google DNS (126.96.36.199 and 188.8.131.52) as these ISPs cache the DNS resolution sent by RoTLD to speed up the resolution process when other similar requests are made," the company explained. "Some ISPs have already flushed their caches, others are still serving rogue resolutions. We are continuously scanning the DNS zones for the Romanian Internet and contacting ISPs individually for mitigating the crisis in the shortest time."
In addition to Google and Yahoo, the other sites affected by the incident are Microsoft.ro, Hotmail.ro, Windows.ro, Kaspersky.ro and paypal.ro, according to Stefan Tanase, senior security researcher at Kaspersky Lab. Before the attack was resolved, the Google and Yahoo domains were resolving to an IP address in the Netherlands.
"All this could have been much worse if the attacker had other goals in his mind than just becoming famous by defacing famous Websites," Tanase wrote. "Imagine how many accounts could have been compromised [Wednesday] morning if these Websites were redirected to a phishing page, instead of a defacement page."
According to BitDefender, the attack has the "same MO" as the hackers who targeted Pakistani registry PKNIC.
"However, while the motivation was strictly political—based on the message they left on the defaced page—in Pakistan, the attackers did not provide any clue about the reason they attacked the Romanian services," BitDefender noted. "The troubled state of society in the Middle East has given birth to a number of responses from digital activist groups that end up attacking popular Websites and exposing innocent users as collateral damage."
According to PKNIC, the breach occurred Nov. 23, and impacted nine DNS records. The affected Websites were redirected to a page with a message in Turkish for a few hours.
"Almost all of these Websites were mirrors of global sites such as google.pk, microsoft.pk, or place-holders for International brand names who do not actually do business in Pakistan such as paypal.pk, etc.," according to the company. "The changes caused by the incident were reverted within a few hours, by the PKNIC team, by late Friday night. The affected accounts were notified after the scope of the incident was identified."
The registry said it is launching new security initiatives in light of the attack, including inviting white-hat hackers to "test-drive the security" of its systems. The company is also establishing a reward program from hackers and developers in line with similar programs run by companies such as Google.