Google needs to get a grip on its websites, as hackers meddle in Malaysia

If you visited Google's Malaysian website today, you might have had a big surprise.

Because rather than finding the familiar minimalist interface of the world's favourite search engine, visitors to google.com.my would have seen this instead:

Google Malaysia

"Google Malaysia HackeD by Tiger-Mate #Bangladeshi HackeR"

Sounds bad, doesn't it? Well, it's certainly not great - but it's not quite as bad as you might imagine.

Firstly, Google's own servers have not been hacked and no data on their systems has been compromised.

Instead, it appears that hackers managed to redirect the DNS entry for google.com.my to a website of their own choosing.

DNS is the internet's phone book, translating website URLs that people can remember (like google.com or amazon.co.uk) into numeric IP addresses that the net understands.

Of course, an unauthorised party changing Google's DNS entry - even if only for the Malaysian branch of Google - could have been a very bad thing.

For instance, they could have planted a drive-by download designed to infect visiting computers on the bogus google.com.my, or the hackers could have created a fake version of the Google search engine which displayed results of their own choosing to earn them income (and perhaps might have been less obvious than the graffiti-style defacement they chose).

The Google Malaysia team tweeted out an advisory to affected users:

A spokesperson for the company told the Wall Street Journal that it was contacting MYNIC, the Malaysian government body that oversees all websites using the .my domain TLD:

"We’re aware that some users are having trouble connecting to google.com.my, or are being directed to a different website. We’ve reached out to the organization responsible for managing this domain name and hope to have the issue resolved shortly."

The DNS redirection appears to have now been resolved, but there's a bigger issue here - namely that this isn't the first time that Google has suffered a similar attack.

In February, for instance, the notorious Lizard Squad hacking gang performed a similar stunt against Google Vietnam, in order to advertise their DDoS-for-hire service.

Clearly either Google is being careless with the passwords it uses to access its DNS records, or some of the organisations it has entrusted with managing its DNS records aren't securing their systems properly.

If it's the latter, then Google really may want to rethink having domains like google.com.my. Perhaps it is time for my.google.com instead?

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

One Response

  1. Coyote

    April 14, 2015 at 3:23 pm #

    "The DNS redirection appears to have now been resolved,"

    I don't know if it was intentional but love the pun (imagine that).

    "but there's a bigger issue here – namely that this isn't the first time that Google has suffered a similar attack."

    Indeed, and the irony is near too much, is it not, when you consider publishing PoC exploits when a patch is already being released (yes, that's often how flaws are fixed, but the difference with Google is – at least from what I've read, how little it might be – they work with the organisation first, then, when they're too slow, even if they have a working patch, they release the exploit; why not just release it then ? /shrug). But here's a question for you, Graham, since I've not yet been around at the time to check the DNS server itself (when Google has been victim of DNS attacks like this):

    Is this a RR update of the actual DNS zone ?;
    Or is it changing the SOA ('start of authority'), or perhaps or more specifically, which DNS servers have authority (in the registrar), these being related ?;
    Or is it a DNS poisoning attack ?

    From my end, never having queried my DNS server until now :

    ;; ANSWER SECTION:
    google.com.my. 60 IN SOA ns3.google.com. dns-admin.google.com. 91083816 900 900 1800 60

    Ah, here we go! whois google.com.my shows THIS:

    e [Record Last Modified] 14-APR-2015

    …which makes me think that indeed it has been modified at the registrar, and that is indeed quite serious (and more curious!).

Leave a Reply