September 7th, 2011
By: Elinor Mills Post in news.cnet
This shows a page to which traffic was redirected during the DNS attack.
A U.K. domain name registrar confirmed today that an attack on its system redirected traffic for some of its customers’ sites to a Web page controlled by hackers.
Fewer than a dozen domain names registered by NetNames were affected by the attack, which occurred on Sunday, according to Stuart Fuller, a spokesman for NetNames parent Group NBT. He declined to name the sites that were redirected.
A list on Zone-H, which retains copies of Web defacements, shows seven sites registered by NetNames or affiliate Ascio that were affected by the Domain Name System (DNS) redirect attack on Sunday, including UPS, Vodafone, Acer, National Geographic, and The Telegraph.
UPS spokeswoman Lynnette McIntire confirmed to CNET that the site was inaccessible for a period of time this weekend and said accessibility was still being resolved for some customers late Tuesday afternoon. The site itself was not hacked, and no customer data was compromised, she added.
The Register confirmed that service to its site was restored after about three hours, according to Computerworld, which first reported on the attack. Representatives of the other companies did not immediately respond to e-mails or phone calls seeking comment today.
The Group NBT statement reads:
“At approximately 2100BST on Sunday 4 September 2011 a very small number of customer domains were redirected to an unauthorised domain name server (DNS server). This was done by placing unauthorised re-delegation orders through to the registries via our provisioning system. These orders updated the address of the master DNS servers responsible for serving data for these domains. The rogue name server then served incorrect DNS data to redirect legitimate web traffic intended for customer web sites through to a hacker holding page branded TurkGuvenligi. The unauthorised orders were added by using a SQL injection attack to gain access to a number of our customer accounts.
The illegal changes were reversed quickly to bring service back to the customers impacted, and the accounts concerned have been disabled to block any further access to the systems. NetNames considers the security of its systems and the data within to be of paramount importance. While no-one can completely defend against such sustained and concentrated malicious attacks, we will continue to review our systems to ensure that we provide our customers a solid, robust, and above all secure service.”
The systems of Ascio, which acts as domain name registrar for Group NBT, were unaffected by the incident, the statement said.
The page to which the affected sites directed said “TurkGuvenligi” and “Gel Babana,” which translates respectively to “come to papa,” and “h4ck1n9 is not a cr1m3.”