A DNS poisoning attack, allegedly carried out by a “hacktivist” protesting labor conditions for Bangladeshi workers in Malaysia, has redirected visitors of those sites to servers under the control of a hacker using the name “TiGER-M@TE”.

Among the companies affected by the attack are the Malaysian (.com.my) domains of several American corporations, including Google and YouTube; Microsoft’s Malaysian Skype, Bing, and MSN sites, Dell Malaysia, and the anti-virus company Kaspersky.

Unlike many hacking attacks, DNS poisoning does not involve a direct attack on the servers of the targets, rather it relies on weaknesses within the Domain Name System to replace valid DNS entries with those that cause web users to be connected to the hacker’s servers. The attack was directed at Malaysian domains and didn’t impact subdomains and directories on domains outside of the .my TLD: dell.com/malaysia for example.

Because the attack was directed against the DNS system and not the servers hosting the companies’ sites, it’s thought that there is no danger of user data having been leaked to the hackers.

DNS poisoning, also called DNS spoofing, works by infecting the caches of DNS servers with false data. The Domain Name System matches a URL with an IP address. Those mappings are kept on authoritative domain name servers. However, to reduce the overhead of repeatedly querying the authoritative servers, a user’s DNS server, usually provided by the organization from which the user is connecting to the Internet or their ISP, will cache the results of DNS queries.

If the hacker introduces misleading data into those caches containing their own preferred mapping of URL to IP, then the caches have been poisoned. In this way, browsers can be tricked into sending Internet users to the destination of the hacker’s choice.

Cache poisoning is possible because many recursive DNS servers don’t verify the source of the data they receive in response to queries. Various mitigation technologies exist that verify the authenticity of query results with cryptographic signatures, but they are not widely deployed because of the data overhead they impose, particularly during Distributed Denial Of Service attacks. It’s also possible to mitigate cache poisoning attacks by validating the connection between the browser and server in the transport and application layer after the connection has been made: sites that allow connections using HTTPS can verify the validity of their servers with digital certificates.


Also published on Medium.