At about 6am GMT Twitter fell victim to a DNS hijacking attack by a group calling itself the “Iranian Cyber Army” (I wonder if they noticed the CIA irony)? The site was affected for the best part of an hour.
The initial attack has left many users confused and widespread belief that the Twitter servers themselves were compromised. This does not appear to have been the case. The latest update on the Twitter blog says
“As we tweeted a bit ago, Twitter’s DNS records were temporarily compromised tonight but have now been fixed. As some noticed, Twitter.com was redirected for a while but API and platform applications were working. We will update with more information and details once we’ve investigated more fully.”
This kind of DNS hijacking usually involves compromising the registrar responsible for the DNS records of the victim company, the attackers then make unauthorised changes to the DNS records. These changes mean that when you or I type a web site address into our browsers, we are directed not to the real web site but to a second site, set up by the hackers, in this case the “Iranian Cyber Army”. This has the net effect of making it look like, in this example, servers belonging to Twitter were compromised when in reality that was not the case.
These sorts of attacks are usually limited to hacktivism activities like this one today, but imagine the potential to criminals if they could pull this off against any site requiring log in credentials, such as PayPal, eBay, MSN, Facebook. One has to wonder how quickly the attack would be noted if the dummy site was an exact replica of the victim and was simply there to harvest credentials and redirect the user then into the real site. This attack is called Pharming and currently mostly happens as a result of local malware modifying individual PCs, not through the compromise of global DNS records, but the potential is demonstrably there. Companies should be monitoring their DNS resolution on several servers to become aware as early as possible when this kind of attack takes place.
Twitter was not the only web site affected by thsi compromise, a quick search revealed one other site displaying the same content.
When it comes to attacking high profile targets it can often be that the registrar is the chink in the security armour. In fact Zone-H, the defacement archive, has previously noted that registrars have been “one of the main aims of the past months“.
If attacks like this can be said to serve any purpose at all, then perhaps they can serve as a reminder that we all need to absolutely ensure that our business partners meet our own high security standards, and that stands in both the on and offline worlds.