Google And Yahoo Domains Hijacked In Ireland

Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved,
© Yuri Arcurs - Fotolia.com

The Irish domains of both Google and Yahoo were knocked offline after a serious security breach

The Irish domains of both Google and Yahoo were temporarily knocked offline earlier this week after their domain name server records were changed in a serious security breach.

The incident occurred Tuesday when the DNS name server records of both domains were changed after a registrar’s account was accessed without authorisation, according to the IE Domain Registry (IEDR). The registrar was identified as MarkMonitor.

Serious Questions

As a result of an investigation by IEDR and third-party experts, IEDR temporarily took external web-based systems offline in order to perform additional analysis. The Whois service and the IEDR’s API however are fully operational, meaning the registrars accounting for more than two-thirds of .ie domains were largely unaffected by the interruption. Public access to .ie websites or email is also unaffected, IEDR explained today.

“Serious questions are being raised about how this breach occurred,” IEDR noted Wednesday in a separate blog post. “Security experts have suggested that the login details for the IEDR registrar’s console may have been ‘socially engineered’, for example if a hacker pretended to represent MarkMonitor and manipulated the IEDR into providing login details to the Registrar console website (where DNS nameservers are configured).”

MarkMonitor did not offer much in the way of details about the incident.

“As you know, the topic of ccTLD security has been discussed by the domain naming system community because of these types of breaches,” MarkMonitor spokesperson Te Smith said in a statement. “As policy, MarkMonitor does not comment on specific domain name security breaches. We recommend that all TLDs implement best practices security measures like those in use by Verisign.COM, Neustar .BIZ and the Puerto Rico.PR registries.”

In January, hackers in the Anonymous collective hijacked the domain name system record for CBS.com and redirected traffic to another Web server that displayed an empty directory structure, making it appear as though the contents of CBS.com had been erased. CBS.com eventually regained control of the domain.

Domain Hijack

According to IEDR, in the case of Google and Yahoo, the records were modified to point to DNS name servers in Indonesia that have been linked to well-known hacking sites – making it possible that some visitors to Google.ie and Yahoo.ie may have been taken to fraudulent versions of those sites. Graham Cluley, senior technology consultant at Sophos, identified the Indonesian name servers as belonging to farahatz.net.

According to Cluley, an attacker could have for example potentially taken users to a bogus version of Google “and infected them with malware or distributed advertising pop-ups.”

In statements to ZDNET, both Google and Yahoo acknowledged the situation and apologised to users. “We are aware that Yahoo.ie was inaccessible to some users in Ireland,” a Yahoo spokesperson told ZDNET. “This issue is resolved and we apologise [sic] for any inconvenience this may have caused.”

According to IEDR, police have been notified about the situation.

Is Internet knowledge your domain? Take our quiz!

Originally published on eWeek.