If you tried to visit today the sites for UPS.com, theregister.co.uk, Vodafone, The Daily Telegraph and some other high profile sites, you would have received a scary message saying that they’ve been hacked (by turkguvenligi):
And they were indeed hacked, but not in the way most people think. Their servers were not compromised, in fact it had nothing to do with their sites. Ascio.com, a domain registrar (used by all of them) was hacked, which lead to the DNS servers of those sites to be modified to:
ups.com name server ns3.yumurtakabugu.com.
ups.com name server ns2.yumurtakabugu.com.
ups.com name server ns1.yumurtakabugu.com.
ups.com name server ns4.yumurtakabugu.com.theregister.co.uk name server ns1.yumurtakabugu.com.
theregister.co.uk name server ns3.yumurtakabugu.com.
theregister.co.uk name server ns2.yumurtakabugu.com.
theregister.co.uk name server ns4.yumurtakabugu.com.
Having control of their DNS, the attackers redirected their web pages to 68.68.20.116 where it had that “hacked” message. And as you can see in their whois information, the records were modified today (at around 1am):
Registrar:
Ascio Technologies Inc t/a Ascio Technologies inc [Tag = ASCIO]
URL: http://www.ascio.comRecord created: 2010-10-04 17:54:28
Record last updated: 2011-09-04 22:24:04
Record expires: 2019-05-17 01:00:00
You know what is scarier? Is that with full DNS control, they would be able to redirect and read any email sent to them, mess with their internal communications, and even steal passwords if SSL/encryption is not used. However, it seems the attackers didn’t do any of the above, since the MX and other records seemed in tact.
You know what is interesting? If they were using our web integrity monitoring, they would have received the alert much sooner that the Whois was modified and later that NS and other IP addresses were changed. Early detection is the key in most cases.
Leave a reply
