Sites of UPS, Acer, others redirected in DNS attack
U.K. registrar NetNames confirms an attack that reportedly affected Vodafone, UPS, and Acer, redirecting Web pages to one translated as saying "h4ck1n9 is not a cr1m3."
A U.K. domain name registrar confirmed today that an attack on its system redirected traffic for some of its customers' sites to a Web page controlled by hackers.
Fewer than a dozen domain names registered by NetNames were affected by the attack, which occurred on Sunday, according to Stuart Fuller, a spokesman for NetNames parent Group NBT. He declined to name the sites that were redirected.
A list on Zone-H, which retains copies of Web defacements, shows seven sites registered by NetNames or affiliate Ascio that were affected by the Domain Name System (DNS) redirect attack on Sunday, including UPS, Vodafone, Acer, National Geographic, and The Telegraph.
UPS spokeswoman Lynnette McIntire confirmed to CNET that the site was inaccessible for a period of time this weekend and said accessibility was still being resolved for some customers late Tuesday afternoon. The site itself was not hacked, and no customer data was compromised, she added.
John Caldwell, president of National Geographic Digital Media, sent this statement to CNET: "On Sunday evening, Eastern Time, we discovered that visitors to NationalGeographic.com were being re-directed to an outside website. We worked with officials to resolve the issue and the re-direct was quickly fixed. Our registrar, NetNames, has put some additional security measures in place. There was little disruption. Most evidence of it was gone by Monday morning. By Tuesday morning there was no lingering evidence of the re-direct."
And a Vodafone representative provided this statement to CNET: "We're aware that DNS entries were recently altered for a short period of time for a large number of major corporate and media organization Web sites--including Vodafone.com--causing some Web users to be redirected. We're investigating the matter. Vodafone.com does not contain any customer information and its content is not affected. Vodafone.co.uk, the site for our UK customers was not affected. Customer information is secure."
The Register confirmed that service to its site was restored after about three hours, according to Computerworld, which first reported on the attack. Representatives of the other companies did not immediately respond to e-mails or phone calls seeking comment today.
The Group NBT statement reads:
The systems of Ascio, which acts as domain name registrar for Group NBT, were unaffected by the incident, the statement said.
"At approximately 2100BST on Sunday 4 September 2011 a very small number of customer domains were redirected to an unauthorised domain name server (DNS server). This was done by placing unauthorised re-delegation orders through to the registries via our provisioning system. These orders updated the address of the master DNS servers responsible for serving data for these domains. The rogue name server then served incorrect DNS data to redirect legitimate web traffic intended for customer web sites through to a hacker holding page branded TurkGuvenligi. The unauthorised orders were added by using a SQL injection attack to gain access to a number of our customer accounts.
The illegal changes were reversed quickly to bring service back to the customers impacted, and the accounts concerned have been disabled to block any further access to the systems. NetNames considers the security of its systems and the data within to be of paramount importance. While no-one can completely defend against such sustained and concentrated malicious attacks, we will continue to review our systems to ensure that we provide our customers a solid, robust, and above all secure service."
The page to which the affected sites directed said "TurkGuvenligi" and "Gel Babana," which translates respectively to "come to papa," and "h4ck1n9 is not a cr1m3."
Updated at 9:36 a.m. PT on September 7 with Vodafone and National Geographic comments.