Websites including The Daily Telegraph, UPS, Vodafone, National Geographic, The Register and others are all currently experiencing disruption according Zone-H, a site that monitors website defacements.
A screenshot of where users are being redirected to can be found below (via Paul Mutton). The headline message in Turkish reads “Turkish Security, Come to Papa.”
The IP Address for the rogue site is 188.8.131.52. if you have a firewall in place you can instruct it to block that particular IP.
It’s worth noting that the websites themselves have not been hacked but the DNS settings have. The DNS settings essentially tell that domain names which IP addresses to load, and these have been altered to point to the IP address of the site below.
As security site Sophos notes, because of the way changes to DNS settings work, not every visitor is affected and it may be some time before any fixes made are visible to all visitors. That being the case, one site, The Register, has taken the step of shutting down access to its site as a precaution.
According to a brief interview with The Guardian, the hackers gained access by hacking domain name registrars Netnames.co.uk, Ascio and “some other ones.”
The group go onto say the motivations behind the hack are purely for the amusement and challenge of infiltrating big domains:
“First we target site itself. if we cant find a vuln. on the script of site we try accessing server or vps. If none of them works we try domain company. The hardest one is reaching the domain company but if you can succeed there will be a treasure for you ”
The hackers say they are also responsible for the South Korean domain name registrar hacking in August.
More to Follow.