September 6, 2011

DNS attacks take scores of sites off line - redirect to hackers

Carl Leonard Principal Security Analyst

Last Sunday evening the websites of Vodafone, Betfair, Acer, National Geographic, the Telegraph and the Register all fell victim to a hacking attack.  This was the work of a Turkish hacker group called TurkGuvenligi, who diverted traffic from these sites to a new holding page announcing “TurkGuvenligi declare this day as World Hackers Day - Have fun ;) h4ck y0u”

So how was it possible to affect so many high profile organisations at  once? What happened is known as a DNS hijack or essentially a masked redirect – meaning you’d be redirected but you wouldn’t see it coming. The websites affected all had in common the same Domain Name Registrars. Noted names include and Ascio, although others have been implicated as well. It was these systems that had been hijacked. In fact the websites themselves were free of malware but during the attack people wouldn’t actually reach the correct site.

A Domain Name System (DNS) acts like a kind of phone book for the internet by converting the words you type in for a web address into a number. By hijacking the system, the hackers were able to send people to the ‘wrong number’. While the attack was taking place they could have chosen to send people to any number (i.e. site) they wanted. There’s an interesting article in The Guardian which talks to the hackers that carried out this attack.

One particular challenge noted in another register piece is that "the domain names are totally out of control of the owners until they can get the registrar to change them back to their own nameservers." Also, email sent to the sites while the hack was live would be diverted to the hackers' site. This presents a real challenge for confidential data also getting into the wrong hands

The list of successfully breached companies just keeps growing and growing. Fact. Bad guys know how to take advantage of software vulnerabilities. But what can the good guys do about it? We recently hosted a Webinar on some of our research on attacks, attack types and how you can stay ahead in the game. If you missed it you can watch the recorded webcast here:

Carl Leonard

Principal Security Analyst

Carl Leonard is a Principal Security Analyst within Forcepoint X-Labs. He is responsible for enhancing threat protection and threat monitoring technologies at Forcepoint, in collaboration with the company’s global Labs teams. Focusing on protecting companies against the latest cyberattacks that...

Read more articles by Carl Leonard

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.