Internet Domain Registry

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Friday, 18 December 2009

Who is the "Iranian Cyber Army"? Twitter DNS Redirect

Posted on 06:16 by Unknown
(Update: 12JAN10 - Iranian Cyber Army Returns -- Target: Baidu.com )

#1 Search on Google in the past hour: "Iranian Cyber Army"
#2 Search on Google in the past hour: "Twitter hacked"

What do these things have to do with each other?

A formerly unknown group, the Iranian Cyber Army, was able to redirect the DNS for Twitter, causing all visitors to be temporarily redirected to another IP address, not belonging to Twitter, and sharing the message from the Iranian Cyber Army that they are cooler hackers than you.

Since we do actually track website defacers at UAB, and since we've never heard of the Iranian Cyber Army, we thought we would take a quick peek in our favorite Iranian hacker rooms to see who was boasting of their conquest.

First we found "vhdmsm" sharing details of the attack in the Iranian Hacker Forum, Ashiyane Digital Security.

They quote the defacement:

========================

Iranian Cyber Army

THIS SITE HAS BEEN HACKED BY IRANIAN CYBER ARMY

iRANiAN.CYBER.ARMY@GMAIL.COM

U.S.A. Think They Controlling And Managing Internet By Their Access, But THey Don't, We Control And Manage Internet By Our Power, So Do Not Try To Stimulation Iranian Peoples To....

NOW WHICH COUNTRY IN EMBARGO LIST? IRAN? USA?

WE PUSH THEM IN EMBARGO LIST

Take Care

=====================
and post links to the Twitter Blog entry about the attack, and a CNET news story.

But there is no indication they were themselves involved.

We're going to need some more evidence. Perhaps someone should be talking to the folks at BlueHost this morning.

See for yourself?


A little twiddling with various DNS Caching systems, and we were able to find the IP address to which traffic had been redirected:

66.147.244.182

There are some interesting domains there, including:

http://mowjcamp.net/

That site is interesting, because its on Bluehost, in the United States.

which currently shows content made from these graphic files (I've moved them to a more permanent location...just in case):










In my opinion, it looks like that server was compromised via WordPress vulnerabilities, but that is just an educated guess based on content at this time. So, it looks like the hacker first hacked one of the sites on the Bluehost box, other mowjcamp.org, wpcrowd.com, or coventryri.com, then redirected all the twitter traffic to that IP by changing the Nameserver entries for Twitter to point away from their normal Google-provided IP addresses to 66.147.242.88 instead.

Email ThisBlogThis!Share to XShare to Facebook
Posted in | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • 2009 Year in Review
    As 2009 comes to a close I wanted to take a minute to thank all of the people who have been helpful to this blog this year, and to share bac...
  • What about the Social Security Numbers? (The Utah Data Breach and your SSN)
    The Utah Data Breach This week the continuing saga of the Utah Medicaid Data Breach continued to unfold. If you haven't been following...
  • Top Brands Imitated by Malicious Spam
    WebSense recently released an InfoGraphic titled "Top Five Subject Lines in Phishing Emails." for January 1, 2013 through Septemb...
  • Carder Christopher Schroebel gets Seven Years
    21 years old and thinking about Cybercrime as a career choice?  Think again.  Seattle-based U.S. Attorney Jenny Durkan told a press conferen...
  • Stop the Rumors: Quit SMSing about WalMart Gang Initiations
    My daughter and her teenage friend were sitting on the couch watching TV today when they began getting text messages on their phone. Here...
  • New BBC spam mocks Georgia's President, Spreads New Virus
    This morning we've received more than 300 copies of a new "BBC" spam campaign which mocks Georgia's President and spreads ...
  • New Year's Waledac Card
    We haven't seen a new version of Waledac since Independence Day (July 4, 2009), but it looks like its back! I'm on vacation today, s...
  • Digital Certificates Update
    A quick update from the previous post. The Digital Certificates spam campaign against Merrill Lynch continues, but the good guys seem to be ...
  • ATM Cashers in 26 Countries steal $40M
    CBS News in New York has a video on their website this morning title Cyber-attacks behind possibly record-breaking bank heist . Former FBI ...
  • A New Year and Anti-Virus Products Are Still Losing
    One of our most popular blog posts in 2008 was back in August - Anti-Virus Products Still Fail on Fresh Viruses . I'm sad to report tha...

Categories

  • china
  • computer security careers
  • conficker
  • cyberwar
  • digital certificates
  • facebook
  • fake av
  • gumblar
  • koobface
  • law enforcement
  • malware
  • pharmaceuticals
  • phishing
  • public policy
  • spam
  • twitter
  • twitter malware
  • waledac
  • zbot

Blog Archive

  • ►  2013 (21)
    • ►  December (4)
    • ►  November (1)
    • ►  October (1)
    • ►  September (1)
    • ►  August (3)
    • ►  July (1)
    • ►  June (1)
    • ►  May (5)
    • ►  April (3)
    • ►  March (1)
  • ►  2012 (18)
    • ►  August (1)
    • ►  June (1)
    • ►  May (7)
    • ►  April (2)
    • ►  March (7)
  • ►  2011 (28)
    • ►  November (3)
    • ►  October (1)
    • ►  August (4)
    • ►  July (6)
    • ►  June (1)
    • ►  May (2)
    • ►  April (2)
    • ►  March (6)
    • ►  February (1)
    • ►  January (2)
  • ►  2010 (80)
    • ►  December (6)
    • ►  November (10)
    • ►  October (6)
    • ►  September (12)
    • ►  August (5)
    • ►  July (4)
    • ►  June (11)
    • ►  April (7)
    • ►  March (8)
    • ►  February (4)
    • ►  January (7)
  • ▼  2009 (92)
    • ▼  December (12)
      • New Year's Waledac Card
      • 2009 Year in Review
      • A donde se va Avalanche? BBVA! y United Bankers ...
      • Some updates . . . Visa/Zeus and Google Jobs
      • Who is the "Iranian Cyber Army"? Twitter DNS Redi...
      • China changes registration rules - will spam chang...
      • Ongoing VISA scam drop Zeus Zbot
      • Minipost: Google v. Pacific WebWorks
      • Yet Another Facebook spam - New Zeus / Zbot threat
      • Webmasters Targeted by CPANEL phish
      • Minipost: CDC Version of Zeus?
      • Google Jobs Scam: Read the Fine Print
    • ►  November (11)
    • ►  October (16)
    • ►  September (7)
    • ►  July (5)
    • ►  June (10)
    • ►  May (2)
    • ►  April (6)
    • ►  March (7)
    • ►  February (6)
    • ►  January (10)
  • ►  2008 (101)
    • ►  December (7)
    • ►  November (17)
    • ►  October (11)
    • ►  September (10)
    • ►  August (22)
    • ►  July (12)
    • ►  June (3)
    • ►  May (7)
    • ►  April (5)
    • ►  March (2)
    • ►  February (1)
    • ►  January (4)
  • ►  2007 (31)
    • ►  December (3)
    • ►  November (9)
    • ►  October (3)
    • ►  September (2)
    • ►  August (5)
    • ►  July (5)
    • ►  January (4)
  • ►  2006 (5)
    • ►  December (2)
    • ►  October (3)
Powered by Blogger.

About Me

Unknown
View my complete profile