DNS Attack Takes Down Google Morocco

morocco12-hpGoogle Morocco was the latest victim of a Domain Name System or DNS attack. A notorious Pakistani leet hacker group named, “PAKbugs”, hijacked Google Morocco’s official website (www.google.co.ma).

Defaced Page:

This is not the first time that Google Moroco has been hacked by PAKbugs. It was previously hacked in 2009. Previously, PAKBugs hijacked major ccTLDs like .co.ug and .co.ec.

Hacked Domains:

Mirror link:

http://zone-h.com/mirror/id/19094784

According to the Ping Results of the domain, the IP address of the hacked domain Google.co.ma points to [46.183.219.99] – located in Latvia (ip-219-99.dataclub.biz), which is not a Google IP address.

Putting this IP address to a browser address bar, it redirects to www.pakbugs.com which shows that the hacker pointed the Google domain to PAKbugs Server where they hosted a deface page.

It’s not clear how this attack was carried out, but it may have involved compromising the system operated by the Moroccan Top Level Domain Registrar (MaTLD).

What is DNS poisoning?

DNS is the system that converts website names into an IP address of the server hosting the website. A DNS poisoning attack tampers the valid list with fake records causing domain names to resolve to incorrect IP addresses.

Why deface one website, when you can just hack the server that holds the IP address to the victim’s site? So, if you can hack the Domain Name System registrar that holds the records for an entire country, you can change any of the servers that you like to point to any website that you want.

DNS poisoning first came to light in the mid-1990s when researchers discovered that attackers could inject spoofed IP addresses into the Domain Name System resolvers belonging to Internet service providers and large organizations. The servers would store the incorrect information for hours or days at a time, allowing the attack to send large numbers of end users to websites that install malware or masquerade as banks or other trusted destinations. Over the years, DNS server software has been updated to make it more resistant to the hack.

Months ago, Ireland’s domain registry suffered an “unauthorized intrusion into the company’s systems” that affected DNS records for Google.ie and Yahoo.ie. The attack exploited vulnerabilities in the company’s configuration of the Joomla content management system to upload malicious code that caused unauthorized DNS changes. DNS attacks have also recently hit Romania, according to this blog post by BitdefenderLabs.

These attacks can be much worse, if the hacktivists are a more malicious group. Like Nation State hackers, for example, who want to infect groups of systems from a target nation. Or gather pertinent credentials from users who think they are on a legitimate website, and not a spoofed one reached via Domain Name System manipulation. Imagine, how many accounts can be compromised if the websites are redirected to a Phishing page, instead of a defaced page.

About Nauman Ashraf

Nauman Ashraf is a security researcher, developer and blogger. He is focused on web application security and research. He has reported vulnerabilities to many well-known enterprises including CNN, Mashable, Techrunch, Engineyard where he is included in the responsible disclosure page. He is currently doing security research and writing for NT OBJECTives. Nauman has a great passion for security, developing his own security related tools and learning about new bypassing techniques. Connect with Nauman on Google+

Leave a Reply

Your email address will not be published. Required fields are marked *