Wednesday, November 28, 2012

Google’s Romanian Domain Gets Defaced By Algerian Hacker MCA-CRB

Looks like Pakistan is not the only place where major internet companies’ domain names can get hacked. This morning, google.ro, was taken over, with the credit being taken by “Algerian Hacker” MCA-CRB, a serial website defacer. The site looked like the picture above for at least an hour, according to our tipster. It still looked like this when I took the screenshot, although now the site seems to have been taken down altogether. It appears to be slowly coming back to the normal Google Romania page worldwide now, and is being described as a possible “DNS hijacking attack” (more below).

Softpedia is reporting that the same thing has happened to Yahoo’s site, but the site looks fine to me right now. Paypal.ro is also redirecting to the same page as Google.ro, although Paypal also operates another site at https://www.paypal.com/ro/ that is up.

The text on the hacked site reads: “By MCA-CRB / Algerian Hacker” and gives credit to three names, “all members Sec” — so perhaps in one of the many loose groups of hackers that associate themselves with Anonymous and LulzSec. “S thanks = Mr-AdeL & i-Hmx & Lagripe-Dz All Members Sec,” the page reads.

MCA-DRB is also threatening more. “To Be Continued ….” the site says.

That’s not an empty threat, it seems. MCA-DRB, according to Zone-h’s registry of hacked sites, has been responsible for 5,530 site hacks and defacements to date, with many of them appearing to cover government and public services sites from countries across Asia, Africa, Europe, Australia and the Americas. By comparison, the Zone-h attributes 313 sites to Eboz, not counting the 284 from over the weekend.

Interestingly, this doesn’t seem to be happening everywhere. My colleague Drew sent me the screenshot for Google.ro from his computer in California and it seems to look like business as usual:

And it doesn’t seem to be following the same form as this weekend’s defacement exercise in Pakistan, where 284 sites were taken down by a hacker called Eboz. That attack appeared to have to do with the infiltration of the country’s domain registry PKNIC, where all of the affected domain name servers were redirected to servers hosted by Freehostia. But according to current checks on Google.ro, the site is still going to Google name servers.

We are reaching out to Google for comment and will update this story.

Update: Stefan Tanase, a Kaspersky lab expert writing at Securelist, notes that the incident may be due to a “DNS hijacking” attack. He notes that “both domains resolve to an IP address located in the Netherlands,” at 95.128.3.172 (server1.joomlapartner.nl), “so it rather looks like a DNS poisoning attack.”

H/T Marius M.


Helena Christensen Diane Lane

No comments:

Post a Comment