DNS hack hits popular websites: Daily Telegraph, The Register, UPS, etc

Filed Under: Featured, Vulnerability

Popular websites including The Register, The Daily Telegraph, UPS, and others have fallen victim to a DNS hack that has resulted in visitors being redirected to third-party webpages.

Web security tester Paul Mutton managed to capture a screenshot of what visitors to The Register saw:

Message seen by visitors to www.theregister.co.uk. Image credit @paulmutton

Part of the message reads:

TurkGuvengligi

"Gel Babana"

HACKED

"h4ck1n9 is not a cr1m3"

"4 Sept. We TurkGuvenligi declare this day as World Hackers Day - Have fun ;) h4ck y0u"

The phrase "Gel Babana" is Turkish for "Come to Papa", and "Guvenligi" is Turkish for "Security".

Further websites which have been affected by the DNS hack include National Geographic, BetFair, Vodafone and Acer.

It's important to note that the websites themselves have *not* been hacked, although to web visitors there is little difference in what they experience - a webpage under the control of hackers.

Instead of breaching the website itself, the hackers have managed to change the DNS records for the various sites affected.

PhonebookDNS records work like a telephone book, converting human-readable website names like nakedsecurity.sophos.com into a sequence of numbers understandable by the internet. What seems to have happened is that someone changed the lookup, so when you entered telegraph.co.uk or theregister.co.uk into your browser you were instead taken to a website that wasn't under the control of those websites.

Because of the way that DNS works, it may take some time for corrected DNS entries for the affected websites to propagate worldwide - meaning there could be problems for some hours ahead. If you're in the habit of visiting and logging into the affected sites, you might be wise to clear your cookies so the hackers aren't able to steal any information from you.

In many ways we have to be grateful that the message displayed appears to be graffiti, rather than an attempt to phish information from users or install malware.

The question now is how did the hackers manage to change the DNS records for these sites?

Here's a statement The Register published about the incident:

Statement from The Register

Image credit: @paulmutton.

Update: The Register has tweeted that its DNS records have been returned to normal.

As noted above, however, it may take some hours before the fix propagates around the net.

, , , , , , , , , , , ,

You might like

31 Responses to DNS hack hits popular websites: Daily Telegraph, The Register, UPS, etc

  1. KillianG · 962 days ago

    Hacking IS a crime. There's a stark difference between open-source development and the digital equivalents of breaking and entering and vandalism.

    • Sir · 809 days ago

      Writing code to hijack someone else computer and take control of it for malicious usage is a crime, it's a crime that involves hacking, but hacking it's self isn't a crime.

      Hackers have long modified devices/software without the need to reverse engineer, hacking by definition is not a crime.

  2. Edward Dore · 962 days ago

    Acer and Betfair also got hit - the common thing between all those effected is that they are registered via NetNames!

  3. Hermes · 962 days ago

    I wonder if this happening might result in The Register (in particular) toning down their taunting of other sites when this kind of thing happens?

    H http://www.thehermesproject.com

    • Boldman · 961 days ago

      Well since it wasn't their fault but that of their DNS host, they can still be critical if it was a website that got hacked. There are different points of attack, some that compromise a site but others such as this that redirect you to a totally different site. All The Register can do about that sort of attack is move domain registrars if NetNames can't provide proper security.

      • Hermes · 957 days ago

        I didn't insinuate that it was their fault, the point being that they taunt others and it shows it can happen to anyone.

        H

  4. Bob · 962 days ago

    I am not sure that it is as simple as it sounds. I discovered it when customers complained the could not checkout of our online store. I was able to force an error that told me that the online UPS real-time rate calculator was creating an error. When I turned off the rate module in the admin of the store I was back operational...but without UPS as a shipper.

  5. Sports · 962 days ago

    Of course... Right when I need to install drivers for my Acer Aspire.... Idiots.

  6. Ian · 962 days ago

    Does not seem to hard to work out of Sophos gurus :

    >nslookup http://www.telegraph.co.uk
    Non-authoritative answer:
    Server: dns.tb.iss.as9143.net
    Address: 212.54.40.25

    >nslookup http://www.theregister.co.uk
    Non-authoritative answer:
    Server: dns.tb.iss.as9143.net
    Address: 212.54.40.25

    >nslookup http://www.ups.co.uk
    Non-authoritative answer:
    Server: dns.tb.iss.as9143.net

  7. TSM · 962 days ago

    3:44pm PST and The Register is still down in the U.S.

  8. dd~ · 962 days ago

    dammit i need new headphones! lol

  9. Ian · 962 days ago

    The Register is also not working for me but maybe a coincidence?

  10. Could DNSSEC help prevent this or?

    • Alex · 961 days ago

      Not in this case, as if the registrar gets hacked then at the same time as changing the NS records they could just replace/remove the DNSSEC data...

  11. Mike · 962 days ago

    I'm surprised the attack was DNS based... When you look at lolerz group they actually exploit private information, would you really consider this a "hack" or something else? Either way, I must admit it is clever, so many more things are becoming exploited over the times, I had some attacks before on a few domains, the one lesson I always learned was to just back up everything, but the DNS change would be out of my hands! I'd be pissed!

  12. The ferret · 961 days ago

    I'd very very angry at a continued silence from a provider at a time like this. Time for a move? IT seems to be full of companies that become silent or unhelpful during outages slow downs or other issues, as a customer group we need to be more proactive in signifying our annoyance at this sort of treatment from a company I was paying for a service.

  13. Still using IE8 eh? Why not upgrade to IE9...

    And The Register is still down for the UK as of 9:59 AM BST.

    • Karen Palen · 961 days ago

      Nothing to do with your browser!

      Even the (much superior) Firefox was affected!

      • What I mean is that Sophos, the advocate of computer security, has not switched to the latest (much superior) version of Internet Explorer 9.

        IE9 offer better security [and features like HTML5] than IE8.

        • Errm. Are you referring to the screenshot?

          The screenshot wasn't taken on a Sophos computer. It wasn't even taken by a Sophos employee.

          • What browsers is Sophos using then? Firefox, Opera, or some discrete little known browser?

            • We use a variety of browsers, and different versions. I'm assuming your comments were based on the screenshot - which wasn't sourced from Sophos, but a chap called Paul Mutton on Twitter.

  14. I love the quote on the NetNames site... "NetNames protects the online presence of thousands of companies across the globe"

    They did not do a very good job at protecting. LOL

  15. The Ferret · 961 days ago

    The Reg has been fine for me since 8 am... Thats where I first picked up on the story!
    UK connecting via Enta.net.

  16. Listen to me · 961 days ago

    We all know everything is hackable, its just how much time you have on your hands to do it. To be honest if the host (netbenefit) had the sites back up in 3 hours i think thats very good.

  17. Jamie · 961 days ago

    As of 14:07 BST, sitting in my office in Newbury, I can't get onto El Reg =(

    I WANT IT BACK. :'(

    • OK I'm glad I'm not the only one. 5:31 PM BST and The Register is still AFK. Using Norton DNS.

  18. JustMe · 961 days ago

    As of 11:50am E.S.T. in the US/Canada, still no-go for getting through to The Register.

  19. Mister Tee · 961 days ago

    "our service provider is not returning our calls or emails"...
    Sounds like they need to get a better service provider.

  20. Nothing is impossible, especially if sloppy programming caused the vulnerability which enabled an SQL injection attack. If we look at the bigger picture, this type of hacking tool is just another form of malware. We offer that Ether2 will enable a path to ensemble computing, where according to Intel research, we will have a higher sensitivity to malware, stronger neighborhood trust models leading to self configuration, and the ability for servers to collaborate in order to defend the network. Secondarily, if it was a DoS attack designed to take the server down by overflowing the buffer, then the fact that nodes can share compute power (basically giving any LAN supercomputing cluster capabilities) would allow load balancing between servers at the edge of the network so the attack couldn’t take hold, and the offending IP addresses could be red flagged, ports blocked, etc. The question about how they got in must be answered. If they sneaked by the session border controller in an encrypted media packet for say a VoIP of video flow, we’ll be running a proprietary watermarking technique to render the executable code inoperable. Then there is the issue of deep packet inspection getting overloaded at the gateway, and Ether2 is 100% distributed so the DPI load would also be running in distributed network chips, as opposed to gateway flooding. In short, we take a more global view on the security issues in networks, and when the network architecture resembles cable TV, it will be a paradigm shift for security.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley is an award-winning security blogger, and veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.