Guardian.co.uk: Twitter hack by ‘Iranian Cyber Army’ is really just misdirection

The ‘Iranian Cyber Army’, apparently a pro-Iranian group, briefly misdirected Twitter users. (Translations of the text welcome.)

The “Twitter hack” by the “Iranian Cyber Army” turns out not to have been a hack of Twitter itself: instead they took aim at the DNS records for the site itself (though Twitter itself says in a blog post that API services – which contact the servers directly – were unaffected.) The hackers also appear to have hacked mowjcamp.org, an advocacy site for Iranian protesters against the re-elected President Mahmoud Ahmadinejad. I tried to contact the “Iranian Cyber Army” at the given (Gmail) address on the website: it bounced as undeliverable. Rik Ferguson, a security analyst at Trend Micro, said: “This kind of DNS hijacking usually involves compromising the registrar responsible for the DNS records of the victim company. The attackers then make unauthorised changes to the DNS records. These changes mean that when you or I type a web site address into our browsers, we are directed not to the real web site but to a second site, set up by the hackers, in this case the ‘Iranian Cyber Army’. This has the net effect of making it look like, in this example, servers belonging to Twitter were compromised when in reality that was not the case.” Similar misdirections have happened in the past by accident when “root servers” which route queries for domain lookups have been misprogrammed. Pakistan was blamed for making YouTube inaccessible to the world in February 2008. The government ordered ISPs to set up their DNS servers to reroute any queries inside the country for the site to an “inaccessible” message – but that block was then passed on to DNS servers around the world. (Update: altered to try to clarify that the Pakistan/YouTube incident was about routing tables, not DNS.) However security experts know that DNS servers are a major source of weakness in the internet: because they determined how traffic is routed, control of them gives hackers the ability to send people where they like. In July 2008 researchers had to race to fix a flaw discovered in the DNS setup before hackers could exploit it. Ferguson added: “These sorts of attacks are usually limited to hacktivism activities like this one today, but imagine the potential to criminals if they could pull this off against any site requiring log in credentials, such as PayPal, eBay, MSN, Facebook. One has to wonder how quickly the attack would be noted if the dummy site was an exact replica of the victim and was simply there to harvest credentials and redirect the user then into the real site.” Such attacks, called “pharming”, presently happen on individual PCs that have been silently taken over by malware, not DNS compromises. But, warns Ferguson, “the potential is demonstrably there. If attacks like this can be said to serve any purpose at all, then perhaps they can serve as a reminder that we all need to absolutely ensure that our business partners meet our own high security standards, and that stands in both the on- and offline worlds.” Update: a translation of some of the text has been provided: “the red text says “Peace be with you. Ya Hossein!” (Hossein being the third imam in the Shia Islam hierarchy, this phrase is used as an exclamation, a bit like we might say ‘Oh my god!’)’. ‘The lower text says “If the leader orders us to, we will attack and if he wants us to, we will lose our heads. If he wants us to have patience and wait, we shall sit down and put up with it.”‘ (We still don’t know what the top part, in blue, says: that’s Arabic not Farsi/Iranian, apparently.) Intriguingly this site’s content (the pic is from mowjcamp.org) is different from what was allegedly put on the Twitter misdirection: “U.S.A. Think They Controlling And Managing Internet By Their Access, But They Don’t, We Control And Manage Internet By Our Power, So Do Not Try To Stimulation Iranian Peoples To…. NOW WHICH COUNTRY IN EMBARGO LIST? IRAN? USA? WE PUSH THEM IN EMBARGO LIST 😉 Take Care.” Source: http://www.guardian.co.uk/technology/blog/2009/dec/18/twitter-hack-iranian-cyber-army-dns-mowjcamp