An Algerian hacker going by the name MCA-RCB has taken credit for the defacement of both Google and Yahoo!’s Romanian websites.
On Wednesday last week, the hacker hijacked the Domain Name System (DNS) records of Yahoo! and Google and changed them to redirect users to a defaced page.
MCA-CRB is known to be a prolific hacker and is famous for defacing at least 5,000 websites.
Both domains,www.google.ro andwww.yahoo.ro, were set to resolve to an IP address located in Holland.
Stefan Tanase, of Kaspersky Lab Romania, commented on the DNS hijacking and said: “When we heard about this incident, we were pretty sceptical about the attack. A site such as Google’s can be theoretically hacked, but it is very unlikely. Then we noticed that both domains were directed to an IP address in the Netherlands […], so it seemed more like a DNS poisoning attack.”
A “DNS poison” attack, or “DNS spoofing” as it is sometimes known, is when a DNS server has received a non-authentic translation of an IP address and it caches it for performance optimisation, thus redirecting requests to an incorrect address.
Tanase added: “All we know is that Google’s public DNS servers (220.127.116.11 and 18.104.22.168) were resolving requests for google.ro and other major .RO websites to the IP address hosting the defacement page.”
Google Romania believes the problem was at domain level and is investigating the incident with the assistance of the Romania Top Level Domain organisation, the organisation responsible for managing domain names in Romania.