Attackers hijack the .ro domains of Google, Microsoft, Yahoo, others

The DNS records for the affected domain names were modified, suggesting a possible security breach at the .ro registry

The Romanian domain names of Google, Yahoo, Microsoft, Kaspersky Lab and other companies were hijacked on Wednesday and were redirected to a hacked server in the Netherlands.

The hijacking occurred at the DNS (Domain Name System) level, with attackers modifying the DNS records for google.ro, yahoo.ro, microsoft.ro, hotmail.ro, windows.ro, kaspersky.ro and paypal.ro, according to Costin Raiu, director of the global research and analysis team at security vendor Kaspersky Lab.

This led to the websites displaying an attacker-supplied page instead of their regular content -- an attack commonly known as a website defacement. The rogue page displayed in this case attributed the attack to an Algerian hacker using the alias MCA-CRB. The hacker also posted screen shots of the defaced websites on the Zone-H.org website, a Web defacement archive.

The hacker pointed the domains to a server in the Netherlands -- server1.joomlapartner.nl -- that also appears to have been hacked, said Bogdan Botezatu, a senior e-threat analyst at Romanian antivirus vendor Bitdefender.

Botezatu believes that the DNS records were modified as a result of a security breach at the RoTLD domain registry, which manages the authoritative DNS servers for the entire .ro domain space.

The Romanian National Institute of Informatics Research and Development, the organization that runs the RoTLD registry, did not respond to a request for comment.

A compromise of the RoTLD Web system used by .ro domain name owners to administer their domains, or the registry's DNS servers is one of the possibilities, Raiu said.

Kaspersky Lab's RoTLD account that was used to administer kaspersky.ro -- one of the affected domain names -- did not display any alerts or other obvious signs of compromise, Raiu said. However, this does not exclude the possibility of hackers gaining access to the account of a RoTLD administrator directly, he said.

Kaspersky is in the process of filing an official complaint with RoTLD, Raiu said.

Another scenario involves attackers launching a so-called DNS poisoning attack, that resulted in rogue DNS records being inserted in Google's public DNS resolver servers -- 8.8.8.8 and 8.8.4.4 -- Kaspersky researchers said Wednesday in a blog post.

Not all Romanian users were affected by the attack. In fact, the DNS resolver servers of many Romanian ISPs did not report the poisoned records, Raiu said.

However, this might be caused by differences in caching times. Google's public DNS servers might be configured to refresh DNS records by interrogating authoritative DNS servers, like those operated by RoTLD, faster than the DNS resolvers of some ISPs.

"Google services in Romania were not hacked," a Google representative said Wednesday via email. "For a short period, some users visiting www.google.ro and a few other web addresses were redirected to a different website. We are in contact with the organization responsible for managing domain names in Romania."

"We are aware that Yahoo.ro was inaccessible to some users in Romania," a Yahoo spokeswoman said via email. "This issue is resolved and we apologize for any inconvenience this may have caused."

Microsoft did not immediately respond to a request for comment.

It's not clear whether the paypal.ro domain name is actually owned by PayPal. PayPal did not immediately respond to a request for comment seeking clarification.

The attack in Romania follows a similar one that occurred last week in Pakistan and affected the .pk domains of Google, Microsoft, Yahoo, PayPal and other companies. The security breach was traced back to PKNIC, the .pk domain registry.

"PKNIC became aware of a vulnerability in one of its systems which caused a total of four user accounts to be breached on Friday evening 23rd November, impacting nine DNS records, out of a total of around fifty thousand," the registry said in a statement published on its website this week. "That led to several website addresses to be redirected to a message page, with a defaced message in Turkish language for a few hours. Almost all of these websites were mirrors of global sites such as google.pk, microsoft.pk, or place-holders for International brand names who do not actually do business in Pakistan such as paypal.pk, etc."

Botezatu believes that the hackers who hijacked the DNS of the Romanian domains Wednesday might be the same ones responsible for the attack in Pakistan last week.

The attacks against country-code top-level domain (ccTLD) registry organizations seem to be increasing. In October, attackers managed to change the NS records of several Irish domain names including Google.ie and Yahoo.ie.

On Nov. 9, the .IE Domain Registry (IEDR) issued a statement saying that the incident was the result of hackers exploiting a vulnerability in the registry's website.

Join the CSO newsletter!

Error: Please check your email address.

Tags intrusionYahooonline safetyGooglesecurityMicrosoftpaypalkaspersky lab

More about GoogleKasperskyKasperskyMicrosoftPayPalYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place