While Twitter has remained largely quiet on the hour-long hijacking of its domain name, additional information suggests that the attacker had compromised at least one user at the social networking company.
On Thursday, an unknown attacker hijacked Twitter’s domain name and redirected visitors to an unrelated site hosting a page claiming Twitter had been hacked by the “Iranian Cyber Army.” Evidence indicates, however, that the attackers were able to change the domain-name system (DNS) entries at Twitter’s provider, Dyn Inc., said Rod Rasmussen, president and CEO of Internet Identity, an infrastructure security firm which monitors DNS changes.
“First of all the name servers themselves didn’t change, so someone was updating things at the provider,” Rasmussen said. Because other clients were not showing signs of DNS hijacking, it’s unlikely that Dyn itself had been breached, Rasmussen said. “We didn’t see anything else at Dyn that indicated signs of that the service had been compromised.”
On Friday, Dyn confirmed that the attacker had the proper credentials to log into Twitter’s account with the company and change the addressed assigned to various hosts in the Twitter.com domain. While some media reports have called the attack a hack or a defacement against the site, neither term applies, said Kyle York, vice president of sales and marketing for the firm.
“From our point of view, no unauthenticated users logged into the system,” York said.
Dyn has suspended the use of its automated password recovery system, suggesting that the attackers were able to use the system to change the password on Twitter’s account. York would not confirm the connection, but said that all its clients would have to use the company’s phone support to change or recover a password.
The popularity of the social networking service has made it a target of hackers and a focus of security researchers this year. In August, a botnet targeted both Twitter and Facebook with a distributed denial-of-service attack. The micro-blogging service has also had to contend with the spreading of worms, the exploitation of a security vulnerability, and the use of its network as a command-and-control channel.
The first evidence of the attack happened at 9:57 pm PT, when the Twitter.com domain was redirected, according to Rasmussen. Following that, nearly 40 subdomains — including those used by the company’s mail servers — were redirected. Until 11 pm PT, when Dyn reset the domain, visitors to Twitter.com were sent to one of four different IP addresses, Rasmussen said. All of the sites that hosted the defacement message were on legitimate ISPs, he said.
“My guess, looking at the boxes themselves, is that they are virtual servers that are hosting a lot of Web sites,” Rasmussen said. “They (the attackers) may have used stolen credit cards to a set up a Web site.”
The attacker, or attackers, behind Thursday’s redirect claimed to be part of the “Iranian Cyber Army.” However, another message — translated from Farsi by Google’s automated translation engine — reportedly claimed the attack was motivated by the U.S. and Twitter’s interference in “my country,” suggesting the attacker was an individual.
Twitter is expected to issue a statement with further details late Friday. The company did not immediately respond to a request for comment.
“Twitters DNS records were temporarily compromised but have now been fixed,” the site administrators’ wrote at 11:28 p.m. PT last night. “We are looking into the underlying cause and will update with more information soon.”
Dyn is currently working with law enforcement to investigate the attack, Dyn’s York said.
If you have tips or insights on this topic, please contact SecurityFocus.