Irish DNS Records Breached

Monday, October 15, 2012 @ 04:10 PM gHale


The Irish version of Google and Yahoo went offline last Tuesday after an attack was able to change the sites’ Domain Name Server (DNS) records, said officials at the IE Domain Registry (IEDR).

A “security incident” resulted in the DNS nameserver records for two “high profile .ie domains” to end up changed, IEDR said in a statement on its site Wednesday. There was apparently an “unauthorized access” to a registrar’s account which resulted in the change, the statement said.

RELATED STORIES
Rootkit Hides from AV
Malware Updates, Reloads
Patches for Security Solution
Enfal Malware Hits Nuke, Energy Sectors

IEDR identified the two domains as Google.ie and Yahoo.ie in a separate blog post, and identified the affected registrar as MarkMonitor. IEDR worked with MarkMonitor to correct the problem, but it’s not clear how the unauthorized access happened. One theory is MarkMonitor’s login details for the IEDR registrar’s console ended up socially engineered, according to IEDR blog post.

“As policy, MarkMonitor does not comment on specific domain name security breaches,” said Ted Smith, MarkMonitor’s vice president of communications. However, Smith acknowledged this incident “appears to be relatively typical of breaches we’ve seen at other TLDs over the last years.”

IEDR notified all member registrars of the incident in a letter and said several systems are offline while it investigates what happened. IEDR temporarily brought external Web-based systems offline in order to perform additional analysis, according to the statement. The Whois service and IEDR’s API system is still online. External security experts are also investigating, IEDR said.

“Registrars accounting for over two thirds of .ie domains are largely unaffected by this interruption,” IEDR said.

This all could be worse as the attackers could have ended up directing users to a “bogus” site to infect them with malware or harvested personal information from unsuspecting users, said Graham Cluley, senior technology consultant at Sophos, on the NakedSecurity blog.

The modified records were pointing to DNS nameservers located in Indonesia linked to well-known hacking sites, IEDR said in its blog post on the domainregistrar.ie site.



Leave a Reply

You must be logged in to post a comment.