back to article Hacktivists dish out DNS hijack to PayPal, eBay

Surfers visiting the eBay and PayPal UK websites were redirected to defacement pages instead following a DNS hack for which the Syrian Electronic Army has claimed responsibility. The hijacking of surfers instigated by the pro-Assad hacktivists only persisted for a short period over the weekend before normality was restored. …

COMMENTS

This topic is closed for new posts.
  1. DavCrav

    Isn't this the on-line version of scrawling graffiti onto roadsigns? We don't have a news story each time that happens.

    Edit: before anyone says "well, why did you read this then?", I'm procrastinating.

    1. Anonymous Coward
      Thumb Up

      Agreed. It would have been much more mischievous if they'd put up a new terms and conditions document which included phrases such as "eBay agrees unconditionally to abide by EU 'distance selling' legislation and finally take responsibility for the consequences of the services that we provide."

  2. Anonymous Coward
    Anonymous Coward

    Not exactly rocket scientists

    They hacked advertising pages with minimal security. What amateurs.

  3. Anonymous Coward
    Anonymous Coward

    >"no accounts were ever in any danger of being compromised"

    Well, unless they had decided to put up a fake login page, which, being as it was under a legit domain, probably would have phished in a few users.

    Also, their server would have been able to read any domain cookies in their browsers.

    1. TheBeardyMan

      Re: >"no accounts were ever in any danger of being compromised"

      A few users? A PayPal / eBay phish only needs to fool an average PayPal / eBay user. As noted, the hackers might not be rocket scientists, but neither are the targets of any phishing they might have attempted.

  4. Gareth79

    "a very small subset of people visiting a few marketing web pages of PayPal France, UK"

    A FEW marketing pages? The FRONT PAGE, ie. ebay.co.uk was hijacked for two hours, and visitors' cookies would have been spewing to the rogue server. I didn't check PayPal at the time (I was an affected user) but I assume it was the same.

    They changed the DNS servers to a couple of random ones. If the attacker had been more malevolent they could have put a fake login form on and had a field day.

    An interesting problem is that when whoever owned the server that was hosting the hijack page discovered the problem they disabled the account, which 301 redirected to a "site suspended" page. On many browsers a 301 is cached for a very long time, so when the affected people visit ebay.co.uk they will be redirected to something like www.ebay.co.uk/cgi-bin/suspended.cgi (which 404s) until they clear their cache.

  5. Camilla Smythe

    Saturday evening...

    DNS lookups for ebay.co.uk kept on failing for me. Firefox 'could not find' etc.

    ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> ebay.co.uk

    ;; global options: +cmd

    ;; Got answer:

    ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 10658

    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:

    ;ebay.co.uk. IN A

    ;; Query time: 29 msec

    However on one occasion I ended up with a decidedly non-ebay looking 'page not found' error page...

    "http://www.ebay.co.uk/cgi-sys/defaultwebpage.cgi

    If you feel you have reached this page in error, please contact the web site owner:

    webmaster@ebay.co.uk

    It may be possible to restore access to this site by following these instructions for clearing your dns cache.

    If you are the web site owner, it is possible you have reached this page because:

    The IP address has changed.

    There has been a server misconfiguration.

    The site may have been moved to a different server.

    If you are the owner of this website and were not expecting to see this page, please contact your hosting provider."

    At that time the DNS reported..

    ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> ebay.co.uk

    ;; global options: +cmd

    ;; Got answer:

    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56542

    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

    ;; QUESTION SECTION:

    ;ebay.co.uk. IN A

    ;; ANSWER SECTION:

    ebay.co.uk. 106 IN A 23.238.230.225

    ;; AUTHORITY SECTION:

    ebay.co.uk. 72106 IN NS ns1.dnforu.com.

    ebay.co.uk. 72106 IN NS ns2.dnforu.com.

    ;; Query time: 30 msec

    This was via SKY DNS. I reported this to ebay via online chat. The 'problem' did eventually resolve itself but it all seemed 'very suspicious'.

    1. Gareth79

      Re: Saturday evening...

      This is what I saw at around 16:48:

      http://imgur.com/cyS0TXJ

      It reverted to a cPanel default page fairly quickly, and then the DNS entries were dropped from the "dnforu" servers.

      This was the Nominet whois at the same time, clearly showing the rogue DNS servers:

      http://imgur.com/eCkoGkL

      It was like that for at least an hour and a half, a crazy slow response. I assume they were locked out of the Markmonitor systems!

      1. Anonymous Coward
        Anonymous Coward

        Re: Saturday evening...

        Did they increase the timeouts? That could explain the delays.

        If it were me conducting the hack I would have made all the records persistent for as long as the protocol allowed.

  6. Anonymous Coward
    Anonymous Coward

    Not Hacked?

    I appreciate the goal of PR is to manage the negative publicity, but in most of the reports that came out about this over the weekend there was a tweeted screenshot of a supposedly internal email from Paul Whitted (eg: http://www.zdnet.com/ebay-and-paypal-uk-domains-hacked-by-syrian-electronic-army-7000025854/).

    This email appears to be confirming the fact they were hacked and suggesting people move onto a secure comms channel.

    Is this a normal response for an advertising site defacement and, if legit, how did this email leak?

    1. Anonymous Coward
      Anonymous Coward

      Re: Not Hacked?

      Can anyone add anything to this? Were they hacked or not?

  7. pacman7de

    Online lookup table?

    "The hijacking involved changing entries in the online lookup table that translates PayPal.co.uk to an IP address computers use to route surfing requests"

    Also known as a Domain Name System (DNS), something I would have thought most people here would be familiar with. I don't see how PayPal could claim that 'no accounts were ever in any danger of being compromised`, seeing as if the hackers had created a fake PayPal login page and then redirected them to the real one, they could have been harvesting login credentials for ages. Which leads to the question of who was hosting the PayPal DNS entry and why didn't they notice the hack?

This topic is closed for new posts.

Other stories you might like