Attackers changed the Internet routing information on major Websites to redirect users to different pages over the weekend, affecting dozens of companies, including Microsoft, the United Parcel Service and computer producer Acer.
Visitors to the affected sites on Sept. 4 were shown a black page with a message that read in part, “Hacking is not a crime…We TurkGuvengligi declare this day as World Hackers Day – Have fun.” Guvenligi is Turkish for “security.” It’s not yet known whether a lone attacker or a group performed the redirects.
The attackers had breached the servers belonging to NetNames, a company that provides Domain Name System services to various Websites. DNS records are like entries in a telephone directory, with host names translated into actual IP addresses. Attackers managed to change the actual directory entries to point the host names to IP addresses under their control.
“It’s important to note that the Websites themselves have not been hacked, although to Web visitors there is little difference in what they experience-a Web page under the control of hackers,” Graham Cluley, senior technology consultant at Sophos, wrote on the Naked Security blog.
About 186 Websites appear to have been affected, according to Zone-H, a site that tracks Website defacements. The list of affected organizations included Coca-Cola, Interpol, Adobe, Dell, Harvard University, F-Secure, Secunia, UPS, the United Kingdom’s The Register and The Daily Telegraph, Acer, Betfair, Vodafone, French automobile brand Peugeot, and the National Geographic. Various country-specific Websites for Microsoft and global bank HSBC were also targeted. Their DNS records were modified to point to multiple name servers at “yumurtakabugu.com.” The domain name resolved to an IP address owned by hosting provider Blue Mile, according to the DNS record.
Turkguvenligi used SQL injection, a technique in which commands are entered into a form on a Website, such as log-in boxes and comment fields. If the site did not properly handle text entered into the form, it would pass them to the back-end server and database and execute the commands, giving attackers information they should not be able to access. Turkguvenligi submitted a redelegation order into the NetNames system late in the evening Sunday to change the address of the master DNS servers, according to a statement to customers from NetNames.
“The rogue name server then served incorrect DNS data to redirect legitimate Web traffic intended for customer Websites through to a hacker holding page branded Turkguvenligi,” NetNames said.
The company reversed the changes within hours, but since servers generally cache DNS records, it took awhile for the corrected information to propagate, leaving users unable to access the sites. It appears that Turkguvenligi managed to compromise at least one account on the NetNames system through the attack. The accounts have been disabled to prevent future attempts, NetNames said.
Turkguvenligi could have caused more damage than defacing pages. With the DNS record modified, it would have been a simple matter for attackers to put up a cloned site and harvest log-ins and password information, especially on affected banking sites. Users would have seen the correct URL in the address bar and would not have been able to tell they were being phished.
The Register confirmed that the attack did not breach the actual sites. “As far as we can tell, there was no attempt to penetrate our systems,” wrote Drew Cullen on the site, but the publication shut down all services that required a password as a precaution.
DNSSEC, a security measure now being deployed by many registrars to guard against DNS tampering may not have prevented this kind of attack because the attackers submitted an actual order to change the records on the provider level, Chester Wisniewski, a senior security advisor at Sophos, told eWEEK.
DNSSEC uses public key cryptography to digitally “sign” the DNS records for Websites, and attackers were able to sign new records using the NetNames keys, Wisniewski said. DNSSEC is designed to stop attacks such as cache poisoning, where a DNS server, is compromised.It cannot protect against a DNS provider being compromised and signing false DNS records, he said.