Google and Yahoo’s Irish iterations were temporarily knocked offline Oct. 9 after their domain name server records were changed due to a security breach.
The incident occurred when the DNS name server records of both domains were changed after a registrar’s account was accessed without authorization, according to the IE Domain Registry (IEDR). The registrar was identified as MarkMonitor.
As a result of an investigation by IEDR and third-party experts, IEDR temporarily took external Web-based systems offline in order to perform additional analysis. The Whois service and the IEDR’s API, however, are fully operational, meaning the registrars accounting for more than two-thirds of .ie domains were largely unaffected by the interruption. Public access to .ie Websites or email is also unaffected, IEDR explained.
“Serious questions are being raised about how this breach occurred,” IEDR noted Oct. 10 in a separate blog post. “Security experts have suggested that the login details for the IEDR registrar’s console may have been “socially engineered,” for example, if a hacker pretended to represent MarkMonitor and manipulated the IEDR into providing login details to the Registrar console Website (where DNS nameservers are configured).”
MarkMonitor did not offer much in the way of details about the incident.
“As you know, the topic of ccTLD security has been discussed by the domain naming system community because of these types of breaches,” MarkMonitor spokesperson Te Smith said in a statement. “As policy, MarkMonitor does not comment on specific domain name security breaches. We recommend that all TLDs implement best practices security measures like those in use by Verisign .COM, Neustar .BIZ and the Puerto Rico.PR registries.”
In January, hackers in the Anonymous collective hijacked the domain name system record for CBS.com and redirected traffic to another Web server that displayed an empty directory structure, making it appear as though the contents of CBS.com had been erased. CBS.com eventually regained control of the domain.
According to IEDR, in the case of Google and Yahoo, the records were modified to point to DNS name servers in Indonesia that have been linked to well-known hacking sites—making it possible that some visitors to Google.ie and Yahoo.ie may have been taken to fraudulent versions of those sites. Graham Cluley, senior technology consultant at Sophos, identified the Indonesian name servers as belonging to farahatz.net.
According to Cluley, an attacker could have, for example, potentially taken users to a bogus version of Google “and infected them with malware or distributed advertising pop-ups.”
In statements to ZDNET, both Google and Yahoo acknowledged the situation and apologized to users. “We are aware that Yahoo.ie was inaccessible to some users in Ireland,” a Yahoo spokesperson told ZDNET. “This issue is resolved and we apologise [sic] for any inconvenience this may have caused.”
According to IEDR, police have been notified about the situation.