Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AVG, Avira and WhatsApp sites defaced by Palestinian hackers


  • Please log in to reply
4 replies to this topic

#1 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,926 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:44 PM

Posted 08 October 2013 - 01:11 PM

Source: TheRegister

The websites of freebie antivirus vendors AVG and Avira as well as mobile messaging service WhatsApp appear to have been hit by a DNS redirection attack today which sent users to pro-Palestinian websites.

A team of hacktivists calling themselves KDMS have claimed credit for the hacks.

 

Visitors to avg.com were greeted by a rendition of the Palestinian national anthem (via an embedded YouTube video) and a message from a pro-Palestinian group calling itself the KDMS Team, instead of the usual security tips and links to anti-malware downloads.

 

[...]

 

This is how Avira's website (www.avira.com) looks at the moment:

 

aviraredir.png

 

Its good to note that this is a DNS hijack. It means that the domain (for example avira.com) is being redirected to a different IP address (one where the hackers have hosted their image/message) and not to Avira's normal IP address. 


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


BC AdBot (Login to Remove)

 


#2 whoabuddy

whoabuddy

    Bleepin' Verbose


  • Malware Response Instructor
  • 2,036 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cottonwood, AZ
  • Local time:07:44 AM

Posted 08 October 2013 - 03:07 PM

I cannot imagine being a security company and having something like this happen, it would be a PR nightmare!  I had something similar come up with one of my clients, accessing their website provided the message below, and we had the web host restore the website from a backup (their words - makes me wonder if it was a similar issue).  As of right now AVG.com is back to normal and Avira.com is down from US West Coast - craziness! :crazy:

 

20130829_155947.jpg


Meditate. Elevate. Appreciate. | "Life is a journey, love is the destination, happiness is the path!"
If I am helping you and have not responded within 48 hours, please send me a PM.
Vi Veri Universum Vivus Vici (VVVVV)
Excellent Security Advice
Proud member of UNITE

#3 Netghost56

Netghost56

  • Members
  • 973 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:10:44 AM

Posted 08 October 2013 - 03:59 PM

From ibtimes.co.uk: @12:55 PM BST

 

 

Over the past 24 hours a group calling themselves Kdms Team has claimed responsibility for hacking six different websites, including the homepages of the hugely popular messaging service WhatsApp and the top free anti-virus provider AVG.

The group is aligned with the Anonymous movement and the messages posted on the compromised websites indicate they group's aim is to promote Palestinian viewpooints.

Other websites compromised include those belonging to security firm Avira, web analytics company Alexa, porn website RedTube and hosting provider Leaseweb.

A number of security experts have pointed out that all compromised sites share a common domain registrar - Network Solutions - which indicates the Kdms Team hackers compromised this network rather than the individual company websites.

Network Solutions were unavailable for comment on the situation.

Compromised

Seeming to confirm this theory is a blog post by Leaseweb on its compromise:

"Last weekend the leaseweb.com website was unfortunately a direct target of cybercriminals itself. For a short period of time some visitors of leaseweb.com were redirected to another, non-Leaseweb IP address, after the leaseweb.com DNS was changed at the registrar," Leaseweb said in a post written over the weekend.

417254.png
The message appearing on WhatsApp and AVG homepages following attack by Kdms Team hackers. (Twitter)

Identical messages (above) were posted on the homepages of AVG and WhatsApp, under the title: "You Got Pwned." The message from the pro-Palestinian group, reads:

"We want to tell you that there is a land called Palestine on the earth. This land has been stolen by Zionist. Palestinian people has the right to live in peace. Deserve to liberate their land and release all prisoners from Israeli jails. We want peace. Long live Palestine"

The group also embedded a YouTube clip of a patriotic rendition of the Palestinian national anthem.

Offline

The AVG website is currently not accessible as the company has no doubt taken it offline in order to fix the problem. The Avira and WhatsApp websites which were previously offline, are currently back in operation.

There is no suggestion that any customer data was compromised during any of the attacks.

Security researcher Graham Cluley said: It's possible that the hackers managed to change the website's DNS records, redirecting anyone who attempted to visit www.whatsapp.com to a different IP address."

According to the Kdms Team Twitter account, the group yesterday compromised the porn website RedTube as well as the homepage of web analytics site Alexa, though both of these have now returned to normal operation it seems.

The emergence of KDMS Team follows the recent high-profile emergence of the Syrian Electronci Army, who have grabbed a lot of attention through their hacking of high-profile media outlets such as the Associated Press, Sky News and the BBC.


Edited by Netghost56, 08 October 2013 - 04:00 PM.


#4 Elise

Elise

    Bleepin' Blonde

  • Topic Starter

  • Malware Study Hall Admin
  • 60,926 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:44 PM

Posted 08 October 2013 - 04:08 PM

and we had the web host restore the website from a backup (their words - makes me wonder if it was a similar issue).  

 

In this case it seems that the affected sites' content isn't touched, its just that the domain redirects to a different IP address, so instead of displaying Avira/AVG/WhatsApp's site, it displays the "hacked...." message.

 

Avira now redirects to their German product page btw and the hacked-message is no longer displayed.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 whoabuddy

whoabuddy

    Bleepin' Verbose


  • Malware Response Instructor
  • 2,036 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cottonwood, AZ
  • Local time:07:44 AM

Posted 08 October 2013 - 04:21 PM

Hi Elise,

In this case it seems that the affected sites' content isn't touched, its just that the domain redirects to a different IP address, so instead of displaying Avira/AVG/WhatsApp's site, it displays the "hacked...." message.

Sorry that was the point I was trying to make, I wonder if the files were actually replaced or if the DNS was simply poisoned for my client, but the web designer did not give any specifics as to exactly what happened. Either way those are some high-traffic websites they targeted!

Best Regards,
whoabuddy
Meditate. Elevate. Appreciate. | "Life is a journey, love is the destination, happiness is the path!"
If I am helping you and have not responded within 48 hours, please send me a PM.
Vi Veri Universum Vivus Vici (VVVVV)
Excellent Security Advice
Proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users