Google, Microsoft, LinkedIn hacked in Kenyan DNS hijack Dennis Mbuvi
Kenyan domains belonging to Google, Microsoft, LinkedIn, HP, Dell and Kaspersky were among domains recently hit by a DNS hijacking attempt. Users visiting the websites were redirected to a site belonging to a Bangladeshi hacker known as TiGER-M@TE which had the message that the site had been hacked.
Domains affected include google.co.ke, dell.co.ke, skype.co.ke, msn.co.ke, bing.co.ke,linkedin.co.ke,hp.co.ke,westernunion.co.ke,kaspersky.co.ke, microsoft.co.ke, youtube.co.ke and markmonitor.co.ke
Global domains of the sites such as google.com and msicrosoft.com were however not affected in the attack.
All the affected domains have their Domain Name Servers(DNS) hosted by a Nairobi based firm known as Footprint Computer Solutions limited. The hacker appears to have gained access to the server belonging to Footprint Solutions in their trademark manner, where they then change all the IP addresses of the hosted servers to point to the hacker’s server.
Websites are hosted on computers bearing numbered IP addresses such as 220.127.116.11 which belongs to google.co.ke . Users however don’t easily remember numbers and instead use names to reach servers, such as “google.co.ke” or “google.com”. IP addresses are usually four sets of 2 or 3 digits for IP version 4. A newer version, IP version 6, which replaces IPv4 contains eight sets of 4 letters or digits per set.
Without DNS servers, users would have to memorise and type https://2620:0:1cfe:face:b00c::3 for IPv6 or https://18.104.22.168 for the current IPv4 everytime they wanted to visit https://facebook.com
A DNS server is similar to a telephone directory which lists people and their phone numbers, in this case listing website names and their server IP addresses. When a user types in google.co.ke, a DNS server- translates google.co.ke to 22.214.171.124 . Networks then carry the traffic between the users computer and 126.96.36.199 (google.co.ke).
The hacker was able to instead make google.co.ke and the other sites point to his own IP address, which CIO East Africa is yet to determine at the moment. TiGER-M@TE has previously hacked into other DNS registrars of major domains in other countries. TiGER-M@TE recently did a similar DNS hijack in Malawi, targeting Google and Microsoft yet again in addition to Yahoo.
It is not clear how Footprint Computer Solutions came to manage such a high number of Kenyan domains for global Internet firms. Calls to the company went unanswered.
While the hacker here appears to be hacking for fun and to expose vulnerabilities on the target, the hacker could have instead set up replicas of the target site which would have been indistinguishable from the original sites. The hacker would have then proceeded to ask users to "log-in" thus collecting critical information such as usernames and passwords.
Bitcoin, the hugely famous digital currency was recently hit by a similar attack, where hackers used a security question such as “mother’s maiden name” and “year of birth” to hijack a related domain name.