Was the FIFA Website Hacked?

As many know, our company has deep Brazilian roots, as such we have no choice but to enamored with the upcoming World Cup. Yes, the World Cup is coming, soccer news is everywhere and like most things, websites are being used to disseminate the news. The Federation Internationale de Football Association (FIFA) is perhaps one of the largest websites in the world dedicated to Football (a.ka.a Soccer for you Americans) news.

This morning however I awoke to the most startling of news; Twitter was all the rage with the most unexpected, yet expected, FIFA appeared to be hacked.

twitter hacked

Hactivisim Amidst

Is it possible that the Fifa website was hacked? Could it be Hacktivism?

This wouldn’t be the first time ofcourse, big events like this are usually a big target for hackers and this defacement sure is getting a lot of attention from the public. This is what the reported hacked website looks like:

fifa fake defacement

Everything in the site looked the same, except that they added an animation of Fifa’s president, Joseph Sepp Blatter, dancing with a funny song.

At first glance it seems to be legitimate, but taking a closer look you quickly realize it is a fake. Fifa’s official website is www.fifa.com and the one that is being reported as hacked, defaced, is www.fifa-brazil-2014.com.

If you search for these two websites on Google, you will get the same description, which can certainly lead people to believe that it is a legitimate website for FIFA.

phishing

If you take a minute to dig a little deeper though you’ll find it’s really not.

$ host fifa-brazil-2014.com
fifa-brazil-2014.com has address 82.196.13.236

$ host 82.196.13.236
236.13.196.82.in-addr.arpa domain name pointer samba-hack.feinheit.ch.

CH = Abbreviation for Switzerland

Samba-Hack = Name being given to the hack

Registered at:
Registrar URL: http://www.godaddy.com

Creation Date: 2013-06-06 09:11:09

Registrant Email: andrea.arezina@solidar.ch
Admin Name: Andrea Arezina
Registrant City: Zurich
Registrant State/Province: Switzerland

If you look at the real FIFA website you’ll find this information:


$ host fifa.com
fifa.com has address 94.236.90.168

Registrar URL: www.cscprotectsbrands.com

Registrant Email: domain.admin@fifa.org
Admin Name: Domain Name Administrator

Registrant City: Zurich
Registrant State/Province: Switzerland

What’s most peculiar however is that they appear to be in the same city. Definitely an awkward moment for sure.

Lesson To Be Learned

Opportunistic attacks can happen at any time, we can’t allow ourselves to be fooled by what we find online (even if it comes from Twitter, especially if it comes from Twitter). We have to remain diligent when visiting websites we’re unfamiliar with. This caution extends to Google as well as you can see above. Although this specific attack only injected a defacement, the attack could have been much worse, it could have been used to deliver a desktop trojan or any variety of other malware payloads.

Stay safe and don’t be fooled :)

Avira, AVG and WhatsApp Defaced

If you visited the web sites for Avira, AVG or WhatsApp this morning, you probably saw that they didn’t look like they should. All of them were defaced and looked like this:

02 avira defaced

It is a bit horrifying when you see such big sites, including security sites from major Anti Virus products (like AVG and Avira) getting compromised. But what really happened? Did they really get hacked?

DNS redirection

In a broader sense, they did get hacked, but not through a compromise on their servers or network. It looks like the attackers got access to their domains registration panels at Network Solutions and modified their name servers.

For example, these were the new name servers for Avira:

$ host -t NS avira.com
avira.com name server ns1.radioum.com.br.
avira.com name server n1.ezmail.com.br.
avira.com name server n2.ezmail.com.br.
avira.com name server ns2.radioum.com.br.

And these new names servers were pointing Avira’s IP address to 173.193.136.42, instead of the real IP address. That’s why visitors to the site were greeted with a defacement page.

What causes a bit of suspicion is that all these domains are hosted at Network Solutions, so we have to wait a bit more to see if it was caused by a breach on their end or something else.

Update: Avira posted the following on their tech blog: “It appears that our account used to manage the DNS records registered at Network Solutions has received a fake password-reset request which was honoured by the provider. Using the new credentials the cybercriminals have been able to change the entries to point to their DNS servers.” So it doesn’t looks like Netsol was directly hacked, but the attackers found a way to reset the passwords for certain accounts.

Web Hosting Provider ServerPro Hacked, Defaced, & Blacklisted by Google

Even the pro’s are susceptible to attack. Web hosting provider ServerPro has been compromised and completely defaced. This has been ongoing for more than a few days with no resolution.

ServerPro boasts to have over 200,000 clients over a 10 year stand. Although there is no direct proof that this attack affects a wide portion of their client base, we have seen a few of their clients experiencing the same issue.

If you were to visit the site, which we recommend against, you would get the beautiful Google infection banner:

ServerPro Blacklisted by Google

Read More