Attackers hijack the .ro domains of Google, Microsoft, Yahoo, others

The DNS records for the affected domain names were modified, suggesting a possible security breach at the .ro registry

By Lucian Constantin, IDG News Service |  Security

The Romanian domain names of Google, Yahoo, Microsoft, Kaspersky Lab and other companies were hijacked on Wednesday and were redirected to a hacked server in the Netherlands.

The hijacking occurred at the DNS (Domain Name System) level, with attackers modifying the DNS records for google.ro, yahoo.ro, microsoft.ro, hotmail.ro, windows.ro, kaspersky.ro and paypal.ro, according to Costin Raiu, director of the global research and analysis team at security vendor Kaspersky Lab.

This led to the websites displaying an attacker-supplied page instead of their regular content -- an attack commonly known as a website defacement. The rogue page displayed in this case attributed the attack to an Algerian hacker using the alias MCA-CRB. The hacker also posted screen shots of the defaced websites on the Zone-H.org website, a Web defacement archive.

The hacker pointed the domains to a server in the Netherlands -- server1.joomlapartner.nl -- that also appears to have been hacked, said Bogdan Botezatu, a senior e-threat analyst at Romanian antivirus vendor Bitdefender.

Botezatu believes that the DNS records were modified as a result of a security breach at the RoTLD domain registry, which manages the authoritative DNS servers for the entire .ro domain space.

The Romanian National Institute of Informatics Research and Development, the organization that runs the RoTLD registry, did not respond to a request for comment.

A compromise of the RoTLD Web system used by .ro domain name owners to administer their domains, or the registry's DNS servers is one of the possibilities, Raiu said.

Kaspersky Lab's RoTLD account that was used to administer kaspersky.ro -- one of the affected domain names -- did not display any alerts or other obvious signs of compromise, Raiu said. However, this does not exclude the possibility of hackers gaining access to the account of a RoTLD administrator directly, he said.

Kaspersky is in the process of filing an official complaint with RoTLD, Raiu said.

Another scenario involves attackers launching a so-called DNS poisoning attack, that resulted in rogue DNS records being inserted in Google's public DNS resolver servers -- 8.8.8.8 and 8.8.4.4 -- Kaspersky researchers said Wednesday in a blog post.

Not all Romanian users were affected by the attack. In fact, the DNS resolver servers of many Romanian ISPs did not report the poisoned records, Raiu said.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

SecurityWhite Papers & Webcasts

See more White Papers | Webcasts

Answers - Powered by ITworld

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness