Major websites' traffic hijacked by Turkish hackers

London - Major websites including UPS, National Geographic, Betfair and the Telegraph in London found their visitors redirected to a page of a Turkish hacker group for several hours. The attack began Sunday afternoon London time. The group calls itself TurkGuvengligi. Guvengligi is Turkish for security. The hacked page said, “Gel Babana”, a common Turkish phrase that means “come to Papa”, according to security expert Graham Cluley of Sophos. The hackers appeared to exploit a database vulnerability for a configuration panel on the registrar for the sites, according to one of the sites affected, tech news site The Register. [caption id=“attachment_76686” align=“alignleft” width=“300” caption=“Visitors to major websites were redirected to a page of a Turkish hacking group”]  [/caption] The sites themselves were not hacked. The hacker had not compromised their servers, but instead, the Domain Name Server (DNS) listings of the affected sites were hijacked. All web addresses consist of a four numbers separated by dots, known as the “dotted quad”. For instance, one of the dotted quads for Google.com is 74.125.224.72. Even if Google’s DNS listing wasn’t working, you could still get to the site if you knew those numbers. However, to make the web easier to use and save you from having to remember endless lists of numbers, DNS translates the dotted quad into an easy to remember address like Google.com. By attacking the registrar for these sites, the Turkish hacking group managed to compromise the DNS listings of these high profile sites and redirect them from the intended destinations to his own page. Dangers to users Although the sites were not hacked, security experts warned visitors to avoid the sites if they had passwords stores and also not to send emails to the sites. James Ball, a data journalist at The Guardian, warned users via Twitter: “DON’T visit those sites if they usually ‘remember’ your login details. Small but real risk from cookies.” Security experts also warned against sending any emails to addresses linked to those sites for at least 24 hours. Alex Norcliffe, a software engineer with content management software company Umbraco, said it would be “trivial” for the hacker to receive all of the email destined for those sites. The Register, shut down all services that required a password as a precaution. Norcliffe told The Guardian, “the domain names are totally out of control of the owners until they can get the registrar to change them back to their own nameservers.” DNS hacks are not unknown, but Norcliffe said, “Attacks on registrars’ systems are rarely this effective, and SLAs (service-level agreements) between registrar and domain owner are almost unheard of.” The motivation for the hack seemed to be little more than “entertainment”, according to responses by the hacker to questions on Twitter. The group told The Guardian that they target large domains. All of the hacking groups’ exploits are listed on Zone-h website, which hackers use to list their attacks, and TurkGuvengligi seems to have had quite a busy summer. In July, he defaced the sites of Microsoft in Brasil. In a slightly ironic move, he defaced sites supporting British hacker Gary McKinnon, who is fighting extradition to the US to face charges he broke into Nasa and military networks. In August, he defaced the sites of HSBC, tech site ZDNet and Dell computers in South Korea