Hacker Defaces Romanian Sites for Google, Yahoo, Microsoft

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

An Algerian hacker recently defaced the Romanian Web sites for Google, Microsoft and Yahoo, as well as several others.

"Visitors to yahoo.ro, microsoft.ro and google.ro were served a message from an Algerian miscreant using the moniker MCA-CRB," writes The Register's John Leyden. "Traffic destined for the Romanian websites of Kaspersky Lab and PayPal was also hijacked. Affected web browsers were pointed to a frankly boring message resembling nothing more than a test card and an animated GIF background."

"According to his zone-h.org account, MCA-CRB is responsible for defacing well over 5,000 sites, including ones belonging to governments from all around the world," writes Softpedia's Eduard Kovacs.

"Researchers said the most likely explanation for the redirection is a technique known as DNS poisoning, in which domain name system routing tables are tampered with, causing domain names to resolve to incorrect IP addresses," writes Ars Technica's Dan Goodin.

"The hacker pointed the domains to a server in the Netherlands -- server1.joomlapartner.nl -- that also appears to have been hacked, said Bogdan Botezatu, a senior e-threat analyst at Romanian antivirus vendor Bitdefender," writes PCWorld's Lucian Constantin. "Botezatu believes that the DNS records were modified as a result of a security breach at the RoTLD domain registry, which manages the authoritative DNS servers for the entire .ro domain space."

"After analyzing the latest evidence, it seems the most probable scenario for today’s DNS hijacking/poisoning incident is a compromise at RoTLD -- The Romanian Top Level Domain Registry," agrees Kaspersky Lab's Stefan Tanase.

"In [his] analysis of the attack, Tanase, who is based in Romania, said that it could have turned out much worse, had the attacker decided to serve malware or a page designed to capture user credentials for Gmail or another important service," writes Threatpost's Dennis Fisher. "'In this case, the good part is that it was just an ordinary defacement. It could've been much worse if the attacker distributed an exploit kit or a phishing page to all the victims,' he said in an email interview."