The Joomlashack Blog

Twitter Hacked - could it happen to you?

Written by Tom Cannan Tom Cannan
Published: 18 December 2009 18 December 2009

On 12/17/2008 around 7:00 PM EST , Twitter.com was hacked by a group claiming to be the Iranian Cyber Army. The actual attack was a DNS Hijacking (or DNS Poisoning) that resulted in Twitter Users being directed to a page of their choosing. In this example here is what they posted:

Twitter Hacked - could it happen to you?

This old school defacement actually was conducted by 'hijacking' the sites DNS - how they accomplished this is still unknown, the fact is they did. What exactly is a DNS Poisoning or Hijacking?

Quite simply, when your desktop or any other Internet enabled device wants to talk to another computer or device, you would typically put in the domain name, www.domain.com for instance. If you had 'recently' visited this site, then the cache (arp cache) on your machine or server would likely have its IP address. If not then it will ask it's DNS or Domain Name Server for help. The DNS server will follow the trail to find the target, domain.com's DNS server - theoretically it will return to you the IP address of domain.com.

In Twitter's case, the iRANiAN.CYBER.ARMY@... penetrated twitter and replaced their DNS Servers with a choosing of their own. This is done many times in Phishing scams to redirect you to a 'fake' but very real looking page. The unsuspecting person browsing would carry on their work (say banking) all the while they are giving the bad guys their real details. A super clever hacker would quietly record this - then log you into the bank - you would never know. They have your passwords, you are happy. A bad situation.

What is interesting is that it appears that the only redirect was to this stupid page, -- complete with their email address (attention google are you looking?) they could have directed the twittersphere to a malware site (this may have been one), or put up a fake Twitter Login page - to scam user/passwords or more.

That brings me to this - Have you tested the integrity of your DNS on your servers? Cricket Liu - a recognized authority on DNS has a set of tools and services available to help you check your site - you can give your DNS infrastructure a good look - and if you think that you aren't vulnerable - Twitter was - maybe you should look again.

If you are a running a retail Joomla Site - and a hacker were to hijack your DNS, he could easily grab your user ID's, potentially grab credit card data or more. Security is holistic and not just at the Joomla! level.

You can reach Cricket Liu's site here. And here is a short white paper on DNS to help you have a better understanding on how DNS works.