The IE Domain Registry have requested assistance from the Garda Bureau of Fraud Investigation after two of Ireland’s most popular websites were taken offline for several hours on Monday afternoon. In a statement, the IE Domain Registry (IEDR) confirmed, “There was a security incident on Tuesday 9th October, involving two high profile .ie domains“.
The two domain names are Google.ie and Yahoo.ie, which are managed by the registrar MarkMonitor. In an email sent to all registrars, David Curtin, IEDR Chief Executive said, “There was an unauthorised access to one Registrar’s account which resulted in the change to the DNS nameserver records for the two .ie domains. The IEDR worked with the Registrar to ensure that the nameserver records were reset and corrected promptly.”
Serious questions are being raised about how this breach occurred. Security experts have suggested that the login details for the IEDR registrar’s console may have been ‘socially engineered’, for example if a hacker pretended to represent MarkMonitor and manipulated the IEDR into providing login details to the Registrar console website (where DNS nameservers are configured).
There is also serious concern regarding the specific DNS nameservers that were configured by the hacker. Both of the DNS nameservers are located in Indonesia. The DNS nameservers are used by well-known hacking websites, and since they are controlled by a hacker, it’s possible that visitors to Google.ie and Yahoo.ie may have been brought to a fake website, purporting to be the real Google or Yahoo website. The fake website could potentially have gathered user information or prompted users to download malware or viruses. Peter Armstrong from Irish webhosting provider Spiral Hosting said, “Luckily there haven’t been any reports of any malware or viruses coming from the two websites. The sites were timing out and we suspect the hacker’s webservers were overwhelmed; they couldn’t cope with the volume of traffic Google and Yahoo would normally receive. Luckily, the IEDR were quick to restore the correct DNS nameservers on both the domain name and minimise the disruption caused. Luckily, other websites like Microsoft.ie which is also managed by MarkMonitor were not affected. It’s all very lucky. It is a security disaster but it could have been much worse. If website visitors had have been infected with malware, Google, Yahoo, MarkMonitor and the IEDR could have been dealing with a security catastrophe.”
At this point MarkMonitor have not made any comment and the IEDR are either uncertain about what happened, or they’re contemplating a possible security breach. However, there is no doubt that the IEDR are taking the issue seriously. They have brought in an external security company to investigate the incident, they have requested assistance from the Garda BFI and at 10pm on Monday, “based on the results of the investigation and the recommendation of security experts“, the IEDR took most of their systems offline “in order to perform additional analysis”, and we suspect taking the systems offline will also prevent further unauthorised access from taking place over-night.