Twitter's DNS records were compromised overnight with users redirected to a page containing a green flag and Arabic writing and the message ‘This site has been hacked by the Iranian cyber army'.
In a tweet from the official Twitter feed, it confirmed earlier this morning that ‘Twitter's DNS records were temporarily compromised but have now been fixed'. Founder Biz Stone confirmed in a blog posting that its DNS records were temporarily compromised overnight but have now been fixed and while Twitter.com was redirected for a while, API and platform applications were working.
Commenting, Rik Ferguson, senior security advisor at Trend Micro, said that these sorts of attacks usually involve compromising the registrar responsible for the DNS records of the victim company and the attackers can then make unauthorised changes to the DNS records.
Ferguson said: “These changes mean that when you or I type a website address into our browsers, we are directed not to the real website but to a second site, set up by the hackers, in this case the 'Iranian Cyber Army'. This has the net effect of making it look like, in this example, servers belonging to Twitter were compromised when in reality that was not the case.”
Graham Cluley, senior technology consultant at Sophos, said: “Of course, just because a message saying 'This site has been hacked by the Iranian Cyber Army' has been posted on a webpage does not necessarily mean that hackers from Iran are responsible for the defacement.
“However, Twitter was widely used earlier this year by those wishing to share information about anti-government protests in the country earlier this year, and rumours spread in July that planned maintenance on the site was delayed to allow Iranians to continue to share information from inside the country as citizen journalists commented on the controversial election result.
“If that's right then it means that Twitter's own servers weren't necessarily breached by the hackers. Rather, the ‘address book', which converts a web address like example.com into a series of numbers understandable by the internet started pointing people trying to find Twitter to somewhere else entirely.”
Both Cluley and Ferguson were relieved to state that the redirected site did not carry malicious code. Cluley said that the attack appeared to have had political motivations rather than designed to steal confidential information from users.
Meanwhile Ferguson said: “These sorts of attacks are usually limited to hacktivism activities like this one today, but imagine the potential to criminals if they could pull this off against any site requiring log in credentials, such as PayPal, eBay, MSN or Facebook.
“One has to wonder how quickly the attack would be noted if the dummy site was an exact replica of the victim and was simply there to harvest credentials and redirect the user then into the real site. This attack is called pharming and currently mostly happens as a result of local malware modifying individual PCs, not through the compromise of global DNS records, but the potential is demonstrably there.
“Companies should be monitoring their DNS resolution on several servers to become aware as early as possible when this kind of attack takes place.”