The Register® — Biting the hand that feeds IT

Feeds

DNS attack hijacks Twitter

#wtf

By John Leyden, 18th December 2009
  • print
  • alert

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

A DNS hijacking attack left Twitter temporarily affected for about an hour early on Friday.

The initial attack has left many users scratching their heads while spreading the belief that Twitter's servers themselves were commandeered by hackers in the name of the "Iranian Cyber Army".

Not so.

It now seems that Twitter's DNS records were altered. That means surfers trying to reach the website directly via name resolution services were thrown over towards a fake domain, while the site itself and micro-blogging applications that plugged into Twitter's API - such as TweetDeck or mobile phone apps - were unaffected by the attack.

A status message on Twitter's blog explains:

As we tweeted a bit ago, Twitter’s DNS records were temporarily compromised tonight but have now been fixed. As some noticed, Twitter.com was redirected for a while but API and platform applications were working. We will update with more information and details once we’ve investigated more fully.

Rik Ferguson, a security consultant at Trend Micro, explained that this type of DNS hijacking usually involves compromising the systems at the registrar responsible for the DNS records of the victim company before altering the relevant DNS records, in a blog posting here.

"These changes mean that when you or I type a web site address into our browsers, we are directed not to the real web site but to a second site, set up by the hackers, in this case the 'Iranian Cyber Army'," Ferguson writes. "This has the net effect of making it look like, in this example, servers belonging to Twitter were compromised when in reality that was not the case.

"These sorts of attacks are usually limited to hacktivism activities like this one today, but imagine the potential to criminals if they could pull this off against any site requiring log in credentials, such as PayPal, eBay, MSN, Facebook," he added.

Twitter was far from the only web site affected by the compromise. Other less high-profile sites also displayed the content posted by the previously unknown Iranian Cyber Army.

The attack against Twitter and other web sites follows a spate of attacks against registrars over the last month or so, according to defacement archive Zone-h.

Surfers getting hijacked more commonly arises as the result of malware on client PCs, but the latest run of attacks shows that compromised DNS records can also be a problem. "Companies should be monitoring their DNS resolution on several servers to become aware as early as possible when this kind of attack takes place," Ferguson advised. ®

Agentless Backup is Not a Myth

COMMENTS

House Rules Send Corrections
All Reader Comments (13)
Highly Rated
Jim Morrow
Reply Icon

Re: Why Worry About MSN

>> Change your Twitter account password, and move on with your life.

better still, don't have a twitter account. get a life instead.

1
0
M.

Why Worry About MSN?

In the article, Trend Micro's Rik Ferguson is quoted as saying "...imagine the potential to criminals if they could pull this off against any site requiring log in credentials, such as PayPal, eBay, MSN, Facebook..."

How could Mr. Ferguson miss the most important point - that thousands (or more) of Twitter accounts were opened to compromise by this DNS-based attack?

What's the point of "imagining" whether MSN (or other) sites were affected? We already have proof that one of the most popular social applications' websites *was* open to compromise. Let's focus on that.

Now, let's get to what the article *should* have said - Everyone with a Twitter account, change your account's password. Even if you have a supposedly-"hard-to-guess", or "complex" password -- it doesn't matter. If you logged in to Twitter (or if your web browser held your session open) while the DNS attack was underway, its password was potentially compromised, or its session tokens were potentially stolen.

Change your Twitter account password, and move on with your life.

1
0
Matthew Collier

@Martin Edwards and DNSsec savior AC...

...would this not work? Client side, for "important" sites only (i.e. not Twatter or Facespace), you could check that the IP address that resolves from DNS, is registered with the correct company? (I'm thinking, grep for the "main" part of the domain name, in the response from querying something like ARIN (which is what WHOIS, does, right?))

Presumably, you'd need a Firefox extension to carry out the task (or, build it into a browser directly, if you are a browser vendor (or building an open source browser))?

Just a thought I had back when the orginal "Dan-attack" stuff happened last year...

0
0

More from The Register

breaking news
NSA PRISM snoop-gate: Won't someone think of the children, wails Apple
10,000 things probed, mostly about missing kids, Alzheimer patients, we're told
96
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
breaking news
Number of cops abusing Police National Computer access on the rise
Only a telegram from the Queen can get you off it
124
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
30
Flash flaw potentially makes every webcam or laptop a PEEPHOLE
But it's a Google problem - Chrome only, insists Adobe
57
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
17
breaking news
'BadNews is malware' says outfit that found it
Google says code harmless but Lookout says code base is evolving
15
Panda-peddlers cuffed for chess gambling gambit
More porridge on the menu for Chinese coders after second offence
13