Photobucket's DNS records hijacked by Turkish hacking group

Photobucket's DNS records hijacked by Turkish hacking group

Summary: Yesterday, Photobucket the world's most popular photo sharing site according to Hitwise had its DNS records hijacked to return a hacked page courtesy of the NetDevilz hacking group, a Turkish web site defacement group most widely known for its defacement of the adult video site Redtube earlier this year.

SHARE:
TOPICS: Networking
22

Yesterday, Photobucket the world's most popular photo sharing site according to Hitwise had its DNS records hijackedPhotobucket Hacked by Turkish Hacking Group to return a hacked page courtesy of the NetDevilz hacking group, a Turkish web site defacement group most widely known for its defacement of the adult video site Redtube earlier this year. Photobucket users across the world are reporting minor outages of the service and problems when trying to access their accounts, the consequence of what looks like the type of DNS records hijacking that redirected Comcast.net to a third-party domain last month.

Third-party site monitoring services indicate that the site was down for 15 minutes yesterday, from from 17:39:39 to 17:55:10, whereas according to a comment left by a Photobucket Forum Support representative, the downtime due to the propagation of the corrected DNS entries was longer :

"On Tuesday afternoon, some users that typed in the Photobucket.com URL were temporarily redirected to an incorrect page due to an error in our DNS hosting services. The error was fixed within an hour of its discovery, but due to the nature of the problem, some users will not have access to Photobucket for a few hours as the fix rolls out. It is important to note that only a portion of Photobucket users encountered the problem and that no Photobucket content, password information or other personal information was affected by the redirect."

The NetDevilz hacking group left the following message, that appears to have been loading from a third-party domain,Photobucket downtime netdevilz atspace.com in this case :

"... ve NeTDevilz yeniden sahnede

Bizi hat?rlayan var m? ? Unutuldu?umuzu dü?ündük ve tekrar hat?rlatmaya karar verdik ! ( Turkish hackers group )

ZeberuS - GeCeCi - MiLaNo - The_BeKiR - h4ckinger - SerSaK - KinSize

we are came back ! ©2008 NetDevilz Co. We're not first,But We're the BEST!"

The hacking group appears to have been using the hosting services of atspace.com, the web hosting service of Zetta hosting solutions, and users of Photobucket attempting to access the site with the old DNS entries are still being redirected to a default hosting ad page within atspace.com. The effect of the redirection can also be seen by taking a peek at the publicly obtainable stats for atspace.com, where the sudden peak in traffic resulting in 118,864 visitors for today came from the default ad page used in the redirection.

With the second DNS hijacking attack against a high-profile domain in the recent months, it seems that adaptive malicious parties unable to directly compromise a site will continue taking advantage of good old-fashioned DNS hijacking. At least to prove that it's still possible even on a high-profile domain using the services of a Tier 1 domain registrar.

Topic: Networking

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

22 comments
Log in or register to join the discussion
  • Just wait until Paypal gets hijacked

    So far this has just been child's play. Sooner or later there's going to be some serious financial consequences, and not just for the site owners.
    Michael Kelly
  • RE: Photobucket's DNS records hijacked by Turkish hacking group

    That's all very well... but where the heck is MY Bucket? I still have no acces and can not see anyone's pictures on other websites that are hosted with PhotoBucket!!! Why NOT?

    I am not the only one still suffering for this issue!!!!
    laralynzy@...
  • RE: Photobucket's DNS records hijacked by Turkish hacking group

    Oh please don't give them ideas...
    laralynzy@...
  • RE: Photobucket's DNS records hijacked by Turkish hacking group

    I think that when we find out who these people are, that they be put behind bars, for no less than 10 years, without propation. That would deter them. Or, we can do what Iran/Islam does - cut their heads off.
    rsherry@...
    • won't solve the problem either

      by doing that, they won't think like "oh, we shouldn't do this
      anymore. lets sober". they're more likely think "how are we
      doing this again, without getting traced or caught".
      sfazly
    • Or do what the US does...

      Waterboard them...

      No, come to think of, that may be a bit extreme considering it only inconvences you for an hour or so to get your photos...
      Marty R. Milette
      • Harsh

        ... but not as harsh as "We have actually gotten on a plane and visited the physical location where the attacks began. We've broken in, stolen the computers and left a note: 'See how it feels?' " On one occasion, he says: "We had to resort to baseball bats. That's what these punks will understand. Then word gets around, and we're left alone. That's all we want, to be left alone."

        http://www.cnn.com/TECH/computing/9901/12/cybervigilantes.idg/

        At least these guys were only jacking DNS ... nowhere near as risky as the life of ebay fraudsters ...
        infoz
    • Do you think Turkey is another Iran?

      Instead of wasting your time on useless photo websites, and before cutting the heads of Turkish guys, I would advise you to get cool down, and google "Turkey". I will bet your "intellligence level" will jump up tremendously, and then, who knows, you might be thankfull to those Turkish hijackers that have , at least, NOT maliciously, destroyed your hard drive, your preciuos files,or stolen anything from you. There is a famous Turkish saying "What you put forward as an excuse was even worse than what they did". Your prejudice, your narrow-mindedness and your bigotry is much worse than what they did.
      birdwings
    • ah 10000 sit ups 100000 pull ups would suffice

      Are you kidding?

      As soon as you develop skills that can be used to get past the security measures put in place by the best that the cooperate world has to offer, (at a big expense I might add) you become a valued asset to those governmental agencies that happen to catch you.

      So when you are caught you apologize and agree to go to work for them. Then a couple years latter you can use both on your resume and form your own security company. Charge a lot of money and grow a huge ego.That is until what you know is obsolete and some 13 year old gets by your security system and hacks the White House web site and redirects it to a gay escort service or Steve Gannon's MySpace page.

      Like always, the hacker brags about it in a chat room (he is 13 after all) and gets busted and then goes to work for the FBI keeping Americas top secrets out of the hands of the Chinese. So the cycle continues.

      Lets face it, the degree of under standing of the inner workings of the networks we all use are of no interest to 99.99% of us. But to that very small percent that make it there life's pursuit are or where hackers. Just because you can write code doesn't make a genius and being lambasted by a 13 year old is never fun but they do push the technology forward regardless of your personal opinion of them, and no I'm not a hacker.

      Cheers
      Jack
      iamjackalope@...
  • RE: Photobucket's DNS records hijacked by Turkish hacking group

    Well that's one way to go - certainly would cut down on hackers, eh?
    laralynzy@...
  • RE: Photobucket's DNS records hijacked by Turkish hacking group

    I did notice some problems with Photobucket yesterday. Now... newbie kind of question here. Since I logged in, and have no idea if I was actually logging into the Turkish site... is my password compromised (changed it anyway)... or something worse?
    jbcoops
    • What will they do with your password?

      What will they do with your password? They are not after your password.
      birdwings
  • RE: Photobucket's DNS records hijacked by Turkish hacking group

    They say not - Photobucket - but they can't seem to fix the problem either and their supposrt is next to useless. All they do is tell you to do what you have already done. Pathetic!

    Well, I discover I can't live without my Bucket - so guess I will have to look for alternate hosting site since I can't get back into me Bucket... And Bucket does NOT seem to care.

    How's Flickr and what the heck else out there?

    I am sick to death of Hackers. For God's sake we don't NEED Hackers... we have MICROSOFT!! I am still trying to recover stuff from the last Microsoft Malfunction and it's been weeks... now this?

    I do swear, I am starting to really really really HATE Computers AND the Internet! For the use computers are these days, they might as well be boat anchors!
    laralynzy@...
  • RE: Photobucket's DNS records hijacked by Turkish hacking group

    Yes, I agree... frightening isn't it? Still the postoffice will make out... when we all switch back to sending stone tablets through the mail.

    I'm too scared to check my online banking anymore.

    We can't trust any of them, apparently. Nothing is safe. NOTHING. I have no faith in any of it any more. :o(
    laralynzy@...
  • RE: Photobucket's DNS records hijacked by Turkish hacking group

    I had the same problem all day yesterday and was redirected at first to some fake page, then to the atspace.com site. I noticed some odd memory hogging going on on my computer after, and my internet was taking much longer to load pages. I ran a anti-spyware and anti-virus scan and found a rootkit/keylogger trojan called "backdoor.bifrose" <<look it up, it's pretty nasty. It took me several hours to get this out of my system,(I think its gone now). After its removal, I'm able to get to my photobucket account w/o issue.

    Afterwards I went onto photobucket's forum site and found they'd closed the "photobucket hacked?" thread, with a statement that it had been fixed...if you were still having issues flush your DNS etc. I posted a new thread with a warning about contracting this trojan from the redirect/hack crap that happened .... they closed it within ten seconds. The message I received from the admin stated it was due to providing links ...to this story and a couple others. I then reposted the warning, and they completely deleted and locked my posts. The admin Amethyst was less than delightful. I have screen-shots of the whole incident. Me replying to her msgs asking why photobucket didn't want to issue a formal statement and suggest to run deep virus and spyware scans...her response "i cant help you" etc. If anyone wants to see those. I also told the admin, that if photobucket didn't want to issue a statement, the least they could do was let users warn other users about the potential risk. I got a reply back saying that I'd made my statement if anyone has anything else to say on the issue they could email their concerns to photobucket. One good thing about the myspace/photobucket merger is that myspace actually addresses security risks and issues, unlike photobucket...and that aint sayin' much.
    f'dbyphtobucket
  • RE: Translation of the Turkish message left by Turkish hacking group

    Here is the word by word translation of the Turkish message:

    The NetDevilz hacking group left the following message, that appears to have been loading from a third-party domain:

    and NetDevilz is again in the picture!
    Is there anyone who remembers us? We think that we have forgotten, and therefore, we have decided to call your attention to us.
    Turkish Hackers Group

    we are came back ! (We have come back/We came back---THIS IS MY HUMBLE CORRECTION)
    ?2008 NetDevilz Co.
    We?re not first,But We?re the BEST!?
    birdwings
  • RE: Photobucket's DNS records hijacked by Turkish hacking group

    MOSSAD's control over the Internet Last edited on Sun, May 04, 2008
    http://crashrecovery.org/internet/

    Contents :
    The Mossad takeover of popular Webmail
    MOSSAD takes over MOSNEWS.COM
    Re: MOSSAD takes over MOSNEWS.COM
    High Alert, good websites get taken down
    Cloak and Dagger under blackbox routing attack
    Compromised DNS backbone providers
    Re: [IANA #91363] Compromised DNS backbone providers
    Keyboard JitterBug eavesdropping
    The Anti Spam Controversy
    Downloads
    The Mossad and affiliated organizations nowadays try to control or even takeover popular websites and email services.
    rmstock
  • RE: Photobucket's DNS records hijacked by Turkish hacking group

    Thats why I don't use PhotoBucket
    Knightwolfe
  • RE: Photobucket's DNS records hijacked by Turkish hacking group

    Thats Why I won't use something like PhtoBucket for up;oading Pic's and stuff


    Wolfe
    Knightwolfe
    • RE:thats why i dont use photobucket

      Well, luckily I only use it for non personal crap that I post on myspace and the like. I've never been one for posting personal identifying stuff on the net at all. However, the reaction by photobucket & its service people is more frustrating than knowing they were hacked. The fact I got a trojan from the redirect hijack isn't photobucket's fault obviously. It becomes their problem though, when they don't warn, and don't allow users to warn, other users about the potential risk to the security of their computer systems and private information via this trojan or any other nasty malware that hackers use on unsuspecting people. I feel sorry for those who actually PAY for photobucket...and for those that have their accounts hooked up to their cell phones.
      f'dbyphtobucket