Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Attackers Compromise Romanian Domains For Google, Yahoo in DNS Attack

Early Wednesday, unknown adversaries diverted traffic intended for the Romanian sites of Google and Yahoo to a defaced Web page.

Early Wednesday, unknown adversaries diverted traffic intended for the Romanian sites of Google and Yahoo to a defaced Web page.

As it turned out, the sites themselves had not been hacked. The attacker had managed to gain access to DNS servers and altered the DNS entries for domains including google.ro, yahoo.ro, microsoft.ro, paypal.ro, kaspersky.ro, windows.ro, and hotmail.ro to point to a different page in a DNS poisoning attack, Stefan Tanase, senior security researcher at Kaspersky Lab, wrote on the company’s SecureList blog. Instead of going to the correct sites, Tanase determined that both google.ro and yahoo.ro domains were resolving to a Dutch IP address.

Domain Name System servers act as a directory for the Web, translating domain names into the actual IP addresses of the servers so that users don’t have to remember numeric codes. By changing the DNS entry, the attacker ensures that even though users are typing the correct domain name, they are diverted to a malicious site instead.

.PK Domains Hacked Via DNSWhile it’s not known at this time how the attacker got access to the DNS entry, the cause is usually a weak or compromised password, or some kind of a vulnerability on the registrar’s Website.

After scanning the .ro domains, researchers were able to determine that the only DNS entries that had been hijacked were Google’s public DNS servers, 8.8.8.8 and 8.8.4.4. It appears the problem with google.ro domain was fixed around 8am Eastern time (13:00 GMT), according to the SecureList post.

DNS poisoning attacks have been frequently used by attackers. In September, visitors to Al-Jazeera were directed to a page denouncing the news network’s coverage of the ongoing conflict between Syrian rebels and the government. Earlier this year, a group of hacktivists hijacked the DNS records for CBS.com and made it seem as if the contents of the site had been wiped.

“All this could have been much worse if the attacker had other goals in his mind than just becoming famous by defacing famous websites. Imagine how many accounts could have been compromised this morning if these websites were redirected to a phishing page, instead of a defacement page,” Tanase said.

These attacks follow other similar attacks that occurred over the weekend when attackers were able to compromise systems at Pakistani Domain Registrar PKNIC and poison the DNS records for Pakistani URLs maintained by Sony, Microsoft, Yahoo, PayPal, Fanta, Coke, Apple, HP, and Google.

Related Reading: Five DNS Threats You Should Protect Against

Related Reading: The Top Five Worst DNS Security Incidents

Related Reading: The Implementation Challenges for DNSSEC

Related Reading: Four Ways to Prepare Your Enterprise for DNSSEC

Related Reading: 5 Strategies for DNSSEC Key Management & Rollover

Related Reading: The Missing Ingredients for DNSSEC Success

Written By

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...