How Baidu Got Hacked by the Iranian Cyber Army
Wednesday, February 24th, 2010
Court documents show how imposter allegedly duped Register.com into handing over access to Baidu.com.
Last month visitors to Baidu.com were redirected to a page stating that the site had been hacked by the Iranian Cyber Army.
Baidu later sued Register.com for allegedly allowing a security intrusion that enabled the hackers to change the name servers for Baidu.com. But the original lawsuit redacted the essential facts about how the hackers got control of Baidu’s account at Register.com. Now an unredacted copy of the lawsuit is available (pdf).
What it alleges is stunning. Here’s how Baidu alleges the hacker got access to one of the world’s most popular web sites domain name account in under an hour:
1. Hacker starts online chat session with Register.com representative, claiming to be an agent of Baidu.
2. Register.com representative asks hacker to provide verification information. Hacker provides invalid information, but Register.com goes ahead and e-mails a security code to the email address it has on file for Baidu anyway.
3. The hacker doesn’t have access to that e-mail address, so he/she relays a bogus security code to the Register.com representative via chat. Baidu claims the representative didn’t bother to compare the code to the actual one.
4. Hacker asks Register.com representative to change email address on file to antiwahabi2008@gmail.com, and representative does.
5. Hacker now uses “forgot password” link at Register.com to request the username and password to the account. Hacker can then log in and change the name servers.
This isn’t the first time a major corporation has had its nameservers changed thanks to a compromised domain account. But the details in how the account was allegedly compromised are stunning. It’s also unfortunate that, had Baidu used added security such as that offered by Moniker or Fabulous, this entire event could have been avoided.
Further Reading:
- Baidu Sues Register.com Over Hacking Incident
- Court Ruling on Baidu v. Register.com Has Implications for Domain Registrars
- Register.com: Baidu Can’t Sue Us for Negligence. Its In Our Contract.
Tags: baidu, Register.com
Was the person from Register.com live chat on CRACK. Hello…
Maybe an inside job?
It just seems so odd that steps 2-4 took place with any right minded person. Glad I do not have any domains with Register.com
Jamie – it’s a monotonous job, I’m sure. If they do 50 security codes a day, they probably don’t pay much attention to them.
i used to use register.com but switched to godaddy. every time i cantact godaddy there is a regious test to answer questions to verify my validity to the account. recently godaddy started asking for the last 6 digets on my credit card. it used to be over the last 10 yrs the last 4 digets were sufficient. consistantly internal upgarding secutity procedures by godaddy.
This happened to me before with RegisterFly. I didn’t have the same email but they sent me the codes anyway without checkng.
Amazzzing! How do you hijack a domain? you simply lie to a support rep in register.com!
…leaving Register.com with no choice but to stridently declare that Halvarez DOES NOT work for them.
[...] Domain Name Wire explains the hi-tech coding techniques used to perpertrate the crime: Here’s how Baidu alleges [...]
It is social engineering. And it is the only & best way to penetrate, because organization takes care of infrastructure security and forgets the humans. People are the weakest link in security.
[...] the username and password to the account. Hacker can then log in and change the name servers. Domain Name wire mentioned that this isn’t the first time a major corporation has had its nameservers changed [...]
Kedaar – “People are the weakest link in security.” I disagree – the best computer in the room is still your brain…if you use it. If the computer is in sleep mode, then you get zzzzzzzzz
The irony hit my last night. Register.com makes us call in to transfer out a domain name under the guise of ‘security’.
I’d rather leave that to the traditional registrar transfer method, rather than letting a Register.com rep get duped into handing over my authorization keys.
Hi Andrew, Interesting post indeed, for one who has had to slog through the manual Register.com transfer-out process several times. Have you managed to get any comment or explanation from Register.com? Or have they just cloaked themselves in the all-purpose “privacy” excuse for not responding?
@ Marg – the response has always been that it’s about security.
[...] allowing a security intrusion that enabled the hackers to change the sites name servers. Today domainnamewire.com published the complaint documents of the case.This is the part where it gets unbelievable. It [...]
When virus attacks were increasing, I had a theory (and I am sure most of you had the same one) that some Anti-virus businesses were behind the virus attacks and then started selling AV products.
Nowadays you have to “buy” protection against unauthorised (SSL certificates and all the others)access to you websites. Isn’t that a new way to make money?
[...] release of the unredacted complaint was reported earlier by Domain Name Wire, which posted a copy of the [...]
Interesting Article and Comments.
1. However, what proof does Baidu to support this rep accusation at register.com?
2. Why would Baidu even use a service like register when you have more premium services like dyn.com (yes, twitter, move on).
3. More importantly, where is register’s marketing team, they should be here posting and following on this article, right?
@ John Doe
1. These are pretty specific accusations that Baidu could only know if Register.com disclosed it to Baidu
2. Even if you use something like DynDNS, if someone gets access to your registrar account they can change your DNS
3. Don’t know.
[...] Dreamhost’s automated systems that are to blame. It was a human mess up, just like when Baidu’s DNS was hijacked. A number of registrars and web hosting companies add human elements to security systems, thinking [...]
[...] a couple recent high profile domain thefts, and the recent hijacking of Baidu’s nameserver settings, I reached out to VeriSign Chief Technology Officer Ken Silva to learn what VeriSign [...]
[...] Dreamhost’s automated systems that are to blame. It was a human mess up, just like when Baidu’s DNS was hijacked. A number of registrars and web hosting companies add human elements to security systems, thinking [...]
[...] Web.com is also inheriting a lawsuit filed by Chinese search engine Baidu. Baidu’s account was compromised and nameservers changed, apparently due to lax security controls by one of Register.com’s [...]
[...] acquisition Web.com is also inheriting a lawsuit filed by Chinese search engine Baidu. Baidu’s account was compromised and nameservers changed, apparently due to lax security controls by one of Register.com’s [...]
[...] tried to do in a lawsuit brought by Baidu. If all the allegations are true, Register.com really screwed up on this one. Yet it claimed Baidu couldn’t hold it accountable because it agreed so in the terms of [...]
[...] that Godaddy account where usadotgov.net is registered, they can modify/transfer/push that domain (it has happened to high profile domains before [to note baidu.com is now at MarkMonitor]). From there they can do anything they want such as [...]
[...] that GoDaddy account where usadotgov.net is registered, they can modify/transfer/push that domain (it has happened to high profile domains before [to note baidu.com is now at MarkMonitor]). From there they can do anything they want such as [...]
I agree with paul comments.