Turkish hackers mucked up the works of several high-profile websites on Sunday, rerouting normal visitors to a mysterious page that declared September 4th "World Hackers Day."
The cyber attack, which afflicted the official sites of UPS, Coca-Cola and many more, was nowhere near as disastrous as recent undertakings by Anonymous or LulzSec. Personal information and passwords were not compromised, said The Register - one of the many outlets whose DNS was misappropriated.
Sophos discussed the unique redirection ploy at its Naked Security security blog and provided insight into why this isn't your everyday hack:
It's important to note that the websites themselves have *not* been hacked, although to web visitors there is little difference in what they experience - a webpage under the control of hackers. Instead of breaching the website itself, the hackers have managed to change the DNS records for the various sites affected.
Comparing DNS to "a telephone book," Graham Cluley, Sophos senior technology consultant, remarked that unlike standard phishing scams the attack was not malicious in nature.
"What seems to have happened is that someone changed the lookup, so when you entered telegraph.co.uk or theregister.co.uk into your browser you were instead taken to a website that wasn't under the control of those websites," said Cluley.
Cluley admitted he wasn't quite sure how the hackers circumvented the sites' security. He added that anyone who has visited any of the affected sites should erase their cookies as a precaution.
Computer World UK, however, provided additional insight and claimed the attack was carried out by a simple SQL injection.
The hackers' self-proclaimed day was short-lived. The Register issued a statement on Monday confirming as much:
On early Sunday evening, UK time, The DNS records of many websites, including those of The Register and The Telegraph, were hijacked and redirected to a third party webpage controlled by Turkish hackers.
The Register's website was not breached. And as far as we can tell there was no attempt to penetrate our systems. But we shut down access / services - in other words, anything that requires a password - as a precaution. These are now restored.
Our DNS records were restored to normal after three hours or so. If you still see a defaced page, turning your equipment on and off again may help: there are DNS caches in your browser, OS, routers and at your ISP. Any of these could contain dodgy info.
According to hacking news site Zone-H, the group responsible - TurkguvenLigi - has a history of defacing sites in similar ways. The group posted a list of others affected by the hacker cadre, which includes websites of The Telegraph and National Geographic.
ZDNet revealed that all the affected sites were customers of the domain registry company, NetNames. Ironically, NetNames' motto is: "Protecting your brand is our domain."
The domain name manager said it took quick action and righted the wrongs:
The illegal changes were reversed quickly to bring service back to the customers impacted and the accounts concerned have been disabled to block any further access to the systems. NetNames considers the security of its systems and the data within to be of paramount importance. While no-one can completely defend against such sustained and concentrated malicious attacks we will continue to review our systems to ensure that we provide our customers a solid, robust and above all secure service.
NetNames declined to comment further or discuss what it will do to prevent similar (or worse) attacks in the future.
