Google, Yahoo! Romania Hacked by Algerian Cybercriminal (Updated)

The attacker most likely altered the DNS records to redirect visitors to his page

By on November 28th, 2012 07:23 GMT

An Algerian hacker using the online moniker MCA-CRB has managed to deface the Romanian sites of Google (google.ro) and Yahoo! (yahoo.ro).

Most likely, the attacker hasn’t actually breached Yahoo! or Google severs. Instead, he gained access to DNS servers and altered the records to ensure that all visitors of yahoo.ro or google.ro would be redirected to his defacement page.

According to his zone-h.org account, MCA-CRB is responsible for defacing well over 5,000 sites, including ones belonging to governments from all around the world.

This is not the first time when hackers turn to this technique to deface high-profile websites. Last week, the Pakistani sites of Google, Yahoo!, Microsoft, PayPal, eBay, HP and Apple have been defaced in the same way.

At the time, the attackers leveraged a vulnerability in the systems of PKNIC, a Pakistani domain name registrar to alter the DNS records.

Update. Yahoo.ro is working properly, but google.ro is still inaccessible to many users. Those who use the DNS settings provided by their ISPs should have no trouble accessing the site, but internauts who rely on Google's public DNS cannot reach the website.

Update2. Kaspersky experts have also analyzed the incident. They’ve discovered that the attackers hijacked not only google.ro and yahoo.ro, but also other domains such as microsoft.ro and paypal.ro.

The researchers have confirmed out theory about Google’s public DNS servers and they highlight the fact that the attackers hijacked the 8.8.8.8 and 8.8.4.4 entries to redirect users to their own IP address.

Google appears to have fixed the hijacked records at 13:00 GMT+2

Update3. The incident is most likely the result of a data breach that affected RoTDL, the organization responsible for handling .ro top-level domains. Unlike its Pakistani counterpart, RoTDL hasn't issued any statement regarding the incident. 

Update4. Damien Perillat, Managing Director of PayPal in Central Eastern Europe, reveals that despite the fact that the attackers redirected the visitors of paypal.ro to an arbitrary website, PayPal Romania is actually located at paypal.com/ro.

This website hasn't been affected by the attack, Perillat explained.

3 Comments