A Turkish hacker has managed to hijack msn.co.il and hotmail.co.il, two domains belonging to Microsoft, and use them to post a pro-Palestinian message. The name servers and administrative email address for the domains have been changed.
Users who accessed hotmail.co.il and msn.co.il earlier today were greeted by a page displaying the image of a child wearing the Palestinian flag as a cape and a message reading, "Free Palestine. Hi to greatest [expletive] of the world (i mean all the Jews). u think one day u will own all the world eh? Lol that makes me laugh. that makes all the world laugh. u are just insects. make muslims angrier and just sit and watch what will happen to you." The attacker signs the messsage as TurkGuvenligi Tayfa ("from Turkey with love") and sends greetings to Pakbugs, a notorious group of hackers and defacers.
It appears that the two Microsoft domains, which normally redirect users to login.live.com and il.msn.com, respectively, had their name server information altered. The new ns1.dollar2host.com and ns2.dollar2host.com name servers, which belong to a private Web hosting company, replaced the usual ns1.msft.net and ns2.msft.net that Microsoft used for its domains.
It seems the attacker also managed to get the administrative e-mail address registered for the domains changed. The whois record for msn.co.il currently lists an @hotmail.com address, which is clearly not related to Microsoft, the Redmond giant normally using a standard @microsoft.com one for such purposes.
In fact, searching the rogue address' user part on Google reveals several accounts on Turkish websites and forums with the same name. This suggests that the attacker might have employed one of his active email addresses in the hijacking and, if that's the case, Microsoft should already have a list of IP addresses utilized to access the mailbox, going back months or even years.
It's not clear how the attacker managed to hijack the domain names, but, based on similar past incidents, we can speculate that they either used a set of stolen credentials to log into the control panel and change the information, or they managed to trick an employee at the registrar by impersonating a Microsoft worker. That last scenario played out in January and led to the temporary hijacking of baidu.com
, the domain name of the largest search engine in China.You can follow the editor on Twitter @lconstantin