English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Google.ro and other RO domains, victims of a possible DNS hijacking attack

Stefan Tanase
Kaspersky Lab Expert
Posted November 28, 09:18  GMT
Tags: Website Hacks, Google, DNS
0.6
 

Earlier today, Softpedia reported that an Algerian hacker using the nickname MCA-CRB has managed to deface the Romanian sites of Google (google.ro) and Yahoo! (yahoo.ro).

Screenshot of the defaced Google.ro domain

When we found out about this incident we were pretty skeptical of these websites being hacked. A website as large as Google can be hacked, in theory, but it’s highly unlikely. We then noticed that both domains resolve to an IP address located in the Netherlands: 95.128.3.172 (server1.joomlapartner.nl) – so it rather looks like a DNS poisoning attack.

The question which remains unanswered up until now is where exactly the DNS spoofing/poisoning attack has happened.There are several possible scenarios here:

  • RoTLD (the Romanian Top Level Domain Registrar) was hacked, allowing the attacker access to all .ro domains DNS settings. Not all .ro domains were affected, so this scenario is highly unlikely to have happened.
  • Google and Yahoo’s RoTLD accounts were compromised, allowing the attacker to just change their DNS settings. This scenario is also unlikely to have happened, as we’ve discovered that it’s not just Google and Yahoo websites, but also Paypal, Microsoft and others.
  • At the moment, our best guess is that an ISP-level DNS poisoning attack is happening in Romania. Some domains are redirected, others are not.

All this could have been much worse if the attacker had other goals in his mind than just becoming famous by defacing famous websites. Imagine how many accounts could have been compromised this morning if these websites were redirected to a phishing page, instead of a defacement page.

At the moment, we are performing a wide zone scan for all .RO domains to determine the extent of this attack.

We will update the blogpost with new information as it becomes available.

UPDATE We have tested various DNS servers for the poisoning attack, and for the moment, the only ones which reply with the hijacked entry are 8.8.8.8 and 8.8.4.4 (Google's public DNS servers). We couldn't identify any other Romanian DNS server which exhibits this behavior.

UPDATE 2 You can test the DNS poisoning attack by yourself using dig: dig @8.8.8.8 google.ro or dig @8.8.4.4 google.ro

UPDATE 3 According to our monitoring, the Google DNS server(s) at 8.8.8.8 are no longer serving poisoned answers. The other Google DNS server(s) at 8.8.4.4 appear to still redirect users to the attacker's IP address. We are assuming that Google might be fixing the hijacked records as we are writing this.

UPDATE 4 It appears the problem with the Google.ro domain has been fixed around 13:00 GMT +2 (Romanian time) on both DNS servers (8.8.8.8 and 8.8.4.4). Other domains such as Paypal.ro are still not fixed.

UPDATE 5 After analyzing the latest evidence, it seems the most probable scenario for today’s DNS hijacking/poisoning incident is a compromise at RoTLD - The Romanian Top Level Domain Registry. Earlier this month, a similar incident took place at the Irish Domain Registry - IEDR. You can see IEDR’s statement here. RoTLD has not come out with a statement yet.
The full list of .RO domains affected by today's incident:

  • google.ro
  • yahoo.ro
  • microsoft.ro
  • paypal.ro
  • kaspersky.ro
  • windows.ro
  • hotmail.ro
We will continue to monitor the situation.


8 comments

Newest first
Threaded view
 

John Smith

2013 Jan 07, 16:58
1
 

Dedicated Server

Thanks for sharing this post.
for more information about hosting please visit on http://www.go4hosting.com/dedicated-servers.htm

Reply    

Catalin

2012 Nov 28, 19:14
1
 

Stubborn malware found in my pc

Only Outpost firewall pro with antivirus has found those trojans and i put them in quarantine or i delete them but it seems i got DDOS attacks and multiple port scanning from all over the world is like this Firewall has a magnet for malware all malware is trying to get inside my pc i am on broadband connection and RDS internet provider doesn't seem so secure on servers if i got those DDos attacks .... I hope you can reply asap to me i need to keep my pc clean no matter what !!! :)

Reply    

Costin Raiu

2012 Nov 28, 19:21
1
 

Re: Stubborn malware found in my pc

Dear Catalin, thanks for your query. Kindly use the form below to contact the Support team:

http://kaspersky.ro/contact

Reply    

MohamedAyad

2012 Nov 28, 18:30
1
 

SSL

Would using SSL https://www.google.ro/ enough to keep in safe side ;)

Reply    

adigigi

2012 Nov 28, 17:10
1
 

cookies

Most browsers and/or users have cookies for automatically login to google+ . My question is ..the hacker server didn't received also those cookies information from all those users ? This information can be used for login in google+ ?

Reply    

Costin Raiu

2012 Nov 28, 19:44
1
 

Re: cookies

AFAIK, login cookies for Google are stored on a different domain (accounts.google.com), so this DNS attack would actually not leak the cookies.

Reply    

camscape

2012 Nov 28, 14:00
1
 

UPDATE - Romanian Servers

Unfortunately, there ARE Romanian ISP that are affected. At the moment, Vodafone and GTS Telecom. You can easily test all those here: http://ceipam.eu/en/dnslookup.php (check all the ISP that you look for).

Reply    

Costin Raiu

2012 Nov 28, 14:30
1
 

Re: UPDATE - Romanian Servers

Thanks for the link!

We presume that the ISPs (Euroweb, GTS, etc...) you've listed rely onto Google's DNS servers, hence, they propagate the poisoning.

Reply    
If you would like to comment on this article you must first
login


Bookmark and Share
Share

Analysis

Blog