| 18 |
| Dec |
Article from Rik Ferguson
Filed under: Hacking,Site Compromise,Web 2.0 | RSS 2.0 | TB | Tags: compromise, hack, hacked, hacktivism, security, Twitter, vulnerability, web | 14 Comments
Banner from hacked site
At about 6am GMT Twitter fell victim to a DNS hijacking attack by a group calling itself the “Iranian Cyber Army” (I wonder if they noticed the CIA irony)? The site was affected for the best part of an hour.
Full hacked page
The initial attack has left many users confused and widespread belief that the Twitter servers themselves were compromised. This does not appear to have been the case. The latest update on the Twitter blog says
“As we tweeted a bit ago, Twitter’s DNS records were temporarily compromised tonight but have now been fixed. As some noticed, Twitter.com was redirected for a while but API and platform applications were working. We will update with more information and details once we’ve investigated more fully.”
This kind of DNS hijacking usually involves compromising the registrar responsible for the DNS records of the victim company, the attackers then make unauthorised changes to the DNS records. These changes mean that when you or I type a web site address into our browsers, we are directed not to the real web site but to a second site, set up by the hackers, in this case the “Iranian Cyber Army”. This has the net effect of making it look like, in this example, servers belonging to Twitter were compromised when in reality that was not the case.
These sorts of attacks are usually limited to hacktivism activities like this one today, but imagine the potential to criminals if they could pull this off against any site requiring log in credentials, such as PayPal, eBay, MSN, Facebook. One has to wonder how quickly the attack would be noted if the dummy site was an exact replica of the victim and was simply there to harvest credentials and redirect the user then into the real site. This attack is called Pharming and currently mostly happens as a result of local malware modifying individual PCs, not through the compromise of global DNS records, but the potential is demonstrably there. Companies should be monitoring their DNS resolution on several servers to become aware as early as possible when this kind of attack takes place.
Twitter was not the only web site affected by thsi compromise, a quick search revealed one other site displaying the same content.
Google search result
When it comes to attacking high profile targets it can often be that the registrar is the chink in the security armour. In fact Zone-H, the defacement archive, has previously noted that registrars have been “one of the main aims of the past months“.
If attacks like this can be said to serve any purpose at all, then perhaps they can serve as a reminder that we all need to absolutely ensure that our business partners meet our own high security standards, and that stands in both the on and offline worlds.
| Angels of security » Blog Archive » Twitter’s DNS servers hacked: Friday, 18. December 2009 um 6:36 pm |
|
|
[...] to a series of news accounts today, it looks like twitter was either hacked or not hacked, depending on who you listen to. The bottom line seems to be that Twitter’s DNS servers were [...] |
|
| Frederick Felman: Friday, 18. December 2009 um 8:52 pm |
|
|
It is likely that Twitter’s registrar was hacked. Important to note is that there is protection available from certain registrars including MarkMonitor that mitigates this form of redirection and defacement. Using “super-locking” eliminates the ability of hackers to use automated methods to change DNS records. |
|
| How Twitter was Hacked: Friday, 18. December 2009 um 10:03 pm |
|
|
[...] the DNS records of the victim company before altering the relevant DNS records, in a blog posting here. This kind of DNS hijacking usually involves compromising the registrar responsible for the DNS [...] |
|
| Twitter Hacked, Defaced By “Iranian Cyber Army” | Denver SEO & Phoenix SEO Company: Saturday, 19. December 2009 um 5:24 pm |
|
|
[...] http://countermeasures.trendmicro.eu/twitter-not-hacked-by-iranian-cyber-army/ | Tags: Iranian Cyber Army, twitter « The race to “70″ [...] |
|
| Twitter Hacked, Defaced By “Iranian Cyber Army” | Colorado Springs SEO: Saturday, 19. December 2009 um 5:44 pm |
|
|
[...] trust website claimed that Twitter was not hacked and that the recent ‘hacking attempt’ was an issue of that of a 3rd party Twitter partner which opened up a DNS [...] |
|
| Ataque del Ciber Ejército Iraní a Twitter | Soxial Media: Sunday, 20. December 2009 um 9:01 pm |
|
|
[...] vimos en: CounterMeasures.TrendMicro Comparte [...] |
|
| Twitter’s DNS Hacked! (Washington Post)- DNS Monthly: Monday, 21. December 2009 um 3:41 am |
|
|
[...] Twitter’s DNS service is provided by Manchester, N.H. based Dyn Inc. Tom Daly, chief technology officer at Dyn, said the incident was not the result of a security failure on its services. Daly said it appears someone changed Twitter’s DNS records to point visitors to a different Internet address using the proper account credentials assigned to Twitter (image above courtesy Trend Micro). [...] |
|
| دنیای زیبای وب » Blog Archive » بیشتر بدانیم: توییتر هک نشد!: Monday, 21. December 2009 um 6:27 pm |
|
|
[...] شرکت نرم افزاری ترندمایکرو درباره ی این اتفاق بود(اینجا). تیتر کاملا مشخص کننده ی اتفاق بود: “توییتر هک [...] |
|
| Twitter hacked | web hosting india, web hosting in india, web hosting company india, india web hosting: Wednesday, 30. December 2009 um 7:22 am |
|
|
[...] Read about the subject on the TrendMicro Countermeasures Blog. [...] |
|
| Iranian Cyber Army Strikes at China’s Search Engine Giant, Chinese Hackers Retaliate | Malware Blog | Trend Micro: Thursday, 14. January 2010 um 10:24 am |
|
|
[...] the group staged to obtain the login credentials to the target site’s registrar account, quite similar to the DNS hacking they did to [...] |
|
| Anti-Virus & Anti-Malware website. » Iranian “Cyber Army” Strikes at China’s Search Engine Giant, Chinese Hackers Retaliate: Thursday, 14. January 2010 um 10:40 pm |
|
|
[...] the group staged to obtain the login credentials to the target site’s registrar account, quite similar to the DNS hacking they did to [...] |
|
| Iranian “Cyber Army” Strikes at China’s Search Engine Giant, Chinese Hackers Retaliate - VirusDB.INFO: Friday, 15. January 2010 um 1:39 am |
|
|
[...] login credentials to the target site’s registrar account, quite similar to the DNS hacking they did to [...] |
|
| Twitter Falls Victim To DNS Redirect: Sunday, 22. August 2010 um 1:33 pm |
|
|
[...] A DNS hijacking attack left Twitter temporarily affected for about an hour early on Friday. The initial attack has left many users scratching their heads while spreading the belief that Twitter’s servers themselves were commandeered by hackers in the name of the “Iranian Cyber Army”. Not so. It now seems that Twitter’s DNS records were altered. That means surfers trying to reach the website directly via name resolution services were thrown over towards a fake domain, while the site itself and micro-blogging applications that plugged into Twitter’s API – such as TweetDeck or mobile phone apps – were unaffected by the attack. A on Twitter’s blog explains: As we tweeted a bit ago, Twitter’s DNS records were temporarily compromised tonight but have now been fixed. As some noticed, Twitter.com was redirected for a while but API and platform applications were working. We will update with more information and details once we’ve investigated more fully.Rik Ferguson, a security consultant at Trend Micro, explained that this type of DNS hijacking usually involves compromising the systems at the registrar responsible for the DNS records of the victim company before altering the relevant DNS records, in a blog posting here… [...] |
|
Friday, 18. December 2009 um 10:47 am
[...] http://countermeasures.trendmicro.eu/twitter-not-hacked-by-iranian-cyber-army/ Published Fri, Dec 18 2009 8:03 by donna [...]