A hacking group gained access to Internet addressing records over the weekend, redirecting eight websites belonging to companies including UPS and Vodafone to a page controlled by the hackers.
One hundred eighty-six websites ended up redirected to a page controlled by the Turkish group “Turkguvenligi.” A message on the redirect page read: “4 Sept. We Turkguvenligi declare this day as World Hackers Day – Have fun 😉 h4ck y0u,” according to Zone-H, a website that tracks defacements.
All of the websites registered through NetNames, which is part of NBT group. NetNames provides DNS (Domain Name System) services for the websites, which is the system used to translates a domain name into an IP address that can load into a web browser.
Turkguvenligi managed to hack NetName’s DNS servers through a SQL injection attack, which involves putting commands into a web-based form to see if the back-end database responds. If those commands do not end up scanned for malicious code, an attacker could gain access to the system.
In the case of NetNames, Turkguvenligi put a redelegation order into the company’s system and changed the address of the master DNS servers that served data for the websites, according to NetNames. The attack occurred around 9 p.m. Sunday.
“The rogue name server then served incorrect DNS data to redirect legitimate web traffic intended for customer web sites through to a hacker holding page branded Turkguvenligi,” the statement read. “The illegal changes were reversed quickly to bring service back to the customers impacted and the accounts concerned have been disabled to block any further access to the systems.”
While this attack ended up fairly benign, it could have been quite a bit different. The group could have set up lookalike sites for the real ones, tricking users into thinking they were on the legitimate site and possibly stealing logins and passwords.
Other websites affected were those belonging to The Telegraph newspaper, The Register technology news site, Acer and the National Geographic.
DNSSEC, a security measure now deployed by registrars to guard against DNS tampering may not have prevented this kind of attack, said Paul Mutton , a security analyst with Netcraft.
DNSSEC uses public key cryptography to digitally “sign” the DNS records for websites. Its mission is to stop attacks such as cache poisoning, where a DNS server suffers an attack, making it possible for a user to type in the correct website name but end up directed to a fake website.
“If the attacker was able to change the DNS settings held by the domain registrar, presumably they could also have changed other settings, such as disabling DNSSEC, or rather, simply change the DNS settings to point to nameservers that do not support DNSSEC,” Mutton said.
NetNames described the attacks against its systems as “sustained and concentrated. We will continue to review our systems to ensure that we provide our customers a solid, robust and above all secure service,” officials said.