14 DAY TRIAL // Attackers identifying themselves as the "Iranian Cyber Army" succeeded in hijacking Twitter's DNS records late on Thursday. The twitter.com domain and several other subdomains were pointed to a Web page displaying a political message taunting the United States.
The attack happened under the cover of night, at around 10:15 PM on Thursday. Users who accessed twitter.com for about an hour were greeted by a black page with an image of the Iranian flag. "THIS SITE HAS BEEN HACKED BY IRANIAN CYBER ARMY," the header of the page displayed along with a Gmail address.
Meanwhile, at the bottom, the hackers left threats for the U.S., "U.S.A. Think They Controlling And Managing Internet By Their Access, But THey Don’t, We Control And Manage Internet By Our Power, So Do Not Try To Stimulation Iranian Peoples To…. NOW WHICH COUNTRY IN EMBARGO LIST? IRAN? USA? WE PUSH THEM IN EMBARGO LIST :) Take Care."
After things returned to normal, Twitter's co-founder Biz Stone announced on the company's official blog that "Twitter's DNS records were temporarily compromised tonight but have now been fixed." He also noted that the platform's API was unaffected and promised to release more details as the company's investigation into the incident goes forward.
According to a report from a blogger who was online at the time of the attack, Twitter.com's A record pointed to 74.217.128.160, an IP address owned by a web hosting company called Netfirms. Twitter.com currently points to 168.143.162.36, an address in the IP space of NTT America.
DNS hijacking attacks can have serious consequences. "Just imagine what could have occurred if they had pointed people to a phishing site posing as Twitter (designed to steal login names and passwords) rather than a political message," notes Graham Cluley, senior technology consultant at Sophos. However, a scenario where hackers got access to change Twitter's website would have been just as worse.
There is no information on how the attack was instrumented, and there are several ways in which the DNS records can be hijacked. However, the most likely explanation is that login credentials for the domain's administration account at the registrar were stolen.
After all, it wouldn't be the first time when hackers got their hands on Twitter administrative accounts. Back in January, an 18-year-old hacker obtained unauthorized access to the account of a Twitter staffer called Crystal. He was able to retrieve the password through a brute force dictionary attack.
In May, a French hacker calling himself "Hacker Croll" got into the account of a Twitter admin through social engineering. He later used similar tactics to steal confidential Twitter corporate documents.
Update: Our earlier speculation, that the attack was instrumented through stolen credentials is reinforced by the statement of Tom Daly, CTO at Dyn Inc., Twitter's DNS provider. Mr. Daly told Security Fix that "Someone logged in who purported to be a legitimate user of their platform account and started making changes. It was not a failing on our systems whatsoever."
