How Baidu Got Hacked by the Iranian Cyber Army
Wednesday, February 24th, 2010
Court documents show how imposter allegedly duped Register.com into handing over access to Baidu.com.
Last month visitors to Baidu.com were redirected to a page stating that the site had been hacked by the Iranian Cyber Army.
Baidu later sued Register.com for allegedly allowing a security intrusion that enabled the hackers to change the name servers for Baidu.com. But the original lawsuit redacted the essential facts about how the hackers got control of Baidu’s account at Register.com. Now an unredacted copy of the lawsuit is available (pdf).
What it alleges is stunning. Here’s how Baidu alleges the hacker got access to one of the world’s most popular web sites domain name account in under an hour:
1. Hacker starts online chat session with Register.com representative, claiming to be an agent of Baidu.
2. Register.com representative asks hacker to provide verification information. Hacker provides invalid information, but Register.com goes ahead and e-mails a security code to the email address it has on file for Baidu anyway.
3. The hacker doesn’t have access to that e-mail address, so he/she relays a bogus security code to the Register.com representative via chat. Baidu claims the representative didn’t bother to compare the code to the actual one.
4. Hacker asks Register.com representative to change email address on file to firstname.lastname@example.org, and representative does.
5. Hacker now uses “forgot password” link at Register.com to request the username and password to the account. Hacker can then log in and change the name servers.
This isn’t the first time a major corporation has had its nameservers changed thanks to a compromised domain account. But the details in how the account was allegedly compromised are stunning. It’s also unfortunate that, had Baidu used added security such as that offered by Moniker or Fabulous, this entire event could have been avoided.