1 min read

Romanian Google, Yahoo Users Redirected to Defacement Page

Bogdan BOTEZATU

November 28, 2012

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Romanian Google, Yahoo  Users Redirected to Defacement Page

Earlier today, visitors of web pages associated with Google and Yahoo search were instead being redirected to a defacement page.

Preliminary investigation reveals that neither Google, nor Yahoo servers have been hacked or otherwise compromised. Instead, the attackers have somehow changed the authoritative DNS records for the affected domains (which are maintained by registrar RoTLD) to point the domain names to a web server in the Netherlands that also probably got hacked.

This appears to be the same MO as that of the hackers who have poisoned the Pakistani registrar’s database a couple of days ago. However, while the motivation was strictly political – based on the message they left on the defaced page – in Pakistan, the attackers did not provide any clue about the reason they attacked the Romanian services. The troubled state of society in the Middle East has given birth to a number of responses from digital activist groups, that end up attacking popular websites and exposing innocent users as collateral damage

If you have visited the affected websites while they were compromised you are strongly advised to flush your DNS cache by typing ‘ipconfig /flushdns’ in Windows, ‘rndc flushname google.ro’ in Linux or Unix and ‘dscacheutil –flushcache’ in Mac OS X.

Update:

It appears that The Algerian Hacker Group, an organization made of almost 200 different teams of hackers is also targeting DNS systems of other national TLDs, as the Romanian hack is the fourth incident after Ireland, Pakistan and Israel – all incidents that took place in just one month.

Today’s attack managed to poison DNS cache servers of all internet service providers, including the Google DNS (8.8.8.8 and 8.8.4.4) as these ISPs cache the DNS resolution sent by RoTLD to speed up the resolution process when other similar requests are made .

Some ISPs have already flushed their caches, others are still serving rogue resolutions. We are continuously scanning the DNS zones for the Romanian internet and contacting ISPs individually for mitigating the crisis in the shortest time.

2-nd update : RoTLD confirms breach.

tags


Author



Right now

Top posts

LuminousMoth – PlugX, File Exfiltration and Persistence Revisited

LuminousMoth – PlugX, File Exfiltration and Persistence Revisited

July 21, 2021

9 min read
How We Tracked a Threat Group Running an Active Cryptojacking Campaign

How We Tracked a Threat Group Running an Active Cryptojacking Campaign

July 14, 2021

10 min read
A Note from the Bitdefender Labs Team on Ransomware and Decryptors

A Note from the Bitdefender Labs Team on Ransomware and Decryptors

May 26, 2021

2 min read
New Nebulae Backdoor Linked with the NAIKON Group

New Nebulae Backdoor Linked with the NAIKON Group

April 28, 2021

1 min read
Good riddance, GandCrab! We’re still fixing the mess you left behind.

Good riddance, GandCrab! We’re still fixing the mess you left behind.

June 17, 2019

5 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Golang Bot Starts Targeting WordPress Websites Golang Bot Starts Targeting WordPress Websites
Silvia PRIPOAESilviu STAHIE
3 min read
Darkside Ransomware Decryption Tool Darkside Ransomware Decryption Tool
Bitdefender

January 11, 2021

2 min read
Towards a Universal Security Solution against Bluetooth Low Energy Attacks Towards a Universal Security Solution against Bluetooth Low Energy Attacks
Bitdefender

July 13, 2020

1 min read