Photo - Dr. Amirudin Abdul Wahab, CEO, CyberSecurity Malaysia
Dell, Google, Microsoft and Kaspersky Lab and a number of other corporate websites with the .my Top Level Dolman (TLD) were edirected to an external third-party website for much of Monday 1 July 2013, confirmed the national security agency CyberSecurity Malaysia.
CyberSecurity Malaysia chief executive officer Dr. Amirudin Abdul Wahab said the agency was made aware of the attack on a number of websites earlier on Monday by Google engineers and was working with the respective authorities and administrators to fix the problem as well as to trace the source of the attacks.
Dr Amirudin said the attack appears to be more complicated than a simple hactivist defacement. "[The attack is] related to DNS poisoning attacks or DNS Spoofing, where the attacker redirects victims to a different site - in this case to a defacement site. This incident is not related to malware infection but is an issue related to a DNS [domain name system] configuration."
He advised IT managers as well as regular users to ensure that their PCs and devices DNS setting was set to theirrespective ISP's [internet service provider's] own DNS.
Computerworld Malaysia received this response from Microsoft Malaysia's communications lead, Leigh Wong, at 19.03 local time, Monday 1 July 2013, which summarised the position of many corporate websites: "It has come to our attention that a number of URLs ending with the .my Top Level Domain (TLD) suffix are currently being redirected to an external third-party website. This has impacted several Malaysian company URLs with the .my suffix, including Microsoft Malaysia's www.microsoft.com.my. At this time, we have no evidence that any customer or partner data has been affected. So far, simply URLs ending with ".my" are affected. www.microsoft.com/malaysia is still fully operational.
We are working with the relevant authorities and industry partners to resolve this matter quickly. We will keep the public updated via our Facebook page at www.facebook.com/MicrosoftMalaysia and www.twitter.com/mymicrosoft."
The total number of sites affected remains unknown but included Dell, Microsoft's Malaysian sites - with the .my TLD such as Bing and Skype - as well as Google Malaysia, YouTube Malaysia and Kaspersky Lab's local sites. Credit for the the DNS poisoning attack appeared to be taken by '#Bangladeshi HackeR' on the redirected homepage protesting the alleged mistreatment of Bangladeshi foreign workers in Malaysia.
Kaspersky Lab released a statement on 3 July 2013 that said the attack most likely occurred in the Malaysian top level domain register MYNIC. "The attack appears to have resulted in an unauthorized update of DNS data for many – if not all – of the domain names registered by MYNIC [Malaysian domain name registrar]. The altered DNS records were then propagated to the DNS servers of various internet service providers, including Google."
"MarkMonitor (Kaspersky Lab’s domain registrar) detected the problem, contacted MYNIC’s specialists and helped Kaspersky Lab roll back all changes. The name servers for the affected .my domains, including kaspersky.my, have been restored to their original settings," continued the statement.
"[In addition] Kaspersky Lab’s web security experts immediately conducted a thorough investigation of Kaspersky.my following the attack and concluded that no Kaspersky Lab servers or resources were breached during the attack; there was no unauthorized access to Kaspersky Lab resources on the Kaspersky.my website and that no sensitive data or websites belonging to Kaspersky Lab were compromised during the incident."
Sign up for Computerworld eNewsletters.