Early Wednesday, unknown adversaries diverted traffic intended for the Romanian sites of Google and Yahoo to a defaced Web page.
As it turned out, the sites themselves had not been hacked. The attacker had managed to gain access to DNS servers and altered the DNS entries for domains including google.ro, yahoo.ro, microsoft.ro, paypal.ro, kaspersky.ro, windows.ro, and hotmail.ro to point to a different page in a DNS poisoning attack, Stefan Tanase, senior security researcher at Kaspersky Lab, wrote on the company’s SecureList blog. Instead of going to the correct sites, Tanase determined that both google.ro and yahoo.ro domains were resolving to a Dutch IP address.
Domain Name System servers act as a directory for the Web, translating domain names into the actual IP addresses of the servers so that users don’t have to remember numeric codes. By changing the DNS entry, the attacker ensures that even though users are typing the correct domain name, they are diverted to a malicious site instead.
While it’s not known at this time how the attacker got access to the DNS entry, the cause is usually a weak or compromised password, or some kind of a vulnerability on the registrar’s Website.
After scanning the .ro domains, researchers were able to determine that the only DNS entries that had been hijacked were Google’s public DNS servers, 188.8.131.52 and 184.108.40.206. It appears the problem with google.ro domain was fixed around 8am Eastern time (13:00 GMT), according to the SecureList post.
DNS poisoning attacks have been frequently used by attackers. In September, visitors to Al-Jazeera were directed to a page denouncing the news network’s coverage of the ongoing conflict between Syrian rebels and the government. Earlier this year, a group of hacktivists hijacked the DNS records for CBS.com and made it seem as if the contents of the site had been wiped.
“All this could have been much worse if the attacker had other goals in his mind than just becoming famous by defacing famous websites. Imagine how many accounts could have been compromised this morning if these websites were redirected to a phishing page, instead of a defacement page,” Tanase said.
These attacks follow other similar attacks that occurred over the weekend when attackers were able to compromise systems at Pakistani Domain Registrar PKNIC and poison the DNS records for Pakistani URLs maintained by Sony, Microsoft, Yahoo, PayPal, Fanta, Coke, Apple, HP, and Google.
Related Reading: Five DNS Threats You Should Protect Against
Related Reading: The Top Five Worst DNS Security Incidents
Related Reading: The Implementation Challenges for DNSSEC
Related Reading: Four Ways to Prepare Your Enterprise for DNSSEC
Related Reading: 5 Strategies for DNSSEC Key Management & Rollover
Related Reading: The Missing Ingredients for DNSSEC Success