• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Avira, AVG and WhatsApp Defaced

October 8, 2013Estevao Avillez

FacebookTwitterSubscribe

If you visited the web sites for Avira, AVG or WhatsApp this morning, you probably saw that they didn’t look like they should. All of them were defaced and looked like this:

02 avira defaced

It is a bit horrifying when you see such big sites, including security sites from major Anti Virus products (like AVG and Avira) getting compromised. But what really happened? Did they really get hacked?

DNS redirection

In a broader sense, they did get hacked, but not through a compromise on their servers or network. It looks like the attackers got access to their domains registration panels at Network Solutions and modified their name servers.

For example, these were the new name servers for Avira:

$ host -t NS avira.com
avira.com name server ns1.radioum.com.br.
avira.com name server n1.ezmail.com.br.
avira.com name server n2.ezmail.com.br.
avira.com name server ns2.radioum.com.br.

And these new names servers were pointing Avira’s IP address to 173.193.136.42, instead of the real IP address. That’s why visitors to the site were greeted with a defacement page.

What causes a bit of suspicion is that all these domains are hosted at Network Solutions, so we have to wait a bit more to see if it was caused by a breach on their end or something else.

Update: Avira posted the following on their tech blog: “It appears that our account used to manage the DNS records registered at Network Solutions has received a fake password-reset request which was honoured by the provider. Using the new credentials the cybercriminals have been able to change the entries to point to their DNS servers.” So it doesn’t looks like Netsol was directly hacked, but the attackers found a way to reset the passwords for certain accounts.

FacebookTwitterSubscribe

Categories: Security AdvisoryTags: Hacked Websites

About Estevao Avillez

Estevao Avillez is Sucuri’s Senior Director of Security Research, who joined the company in 2013. Estevao’s main responsibilities include leading the Research Group, which includes the Malware, Vulnerability and WAF/Sucuri Infrastructure. His professional experience covers 15 years with planning, project and operations management. Estevao has also worked in various areas such as logistics and supply chain, media and communication, telecommunications, and trading relationships with customers. He’s worked as a consultant in financial, strategic and operational management. When Estevao isn’t keeping our customers safe, you might find him taking care of his kids and running. Connect with him on Twitter.

Reader Interactions

Comments

  1. Pothi Kalimuthu

    October 9, 2013

    Thanks for sharing what happened. The hackers as usual targeted the weakest chain in the link in these sites. Glad to know that it wasn’t the servers that got hacked. That would have made things worse for these companies.

  2. Havenswift Hosting

    October 9, 2013

    This is another case of DNS hijacking similar to that of Australian IT services company Melbourne IT which, back in August, resulted in The New York Times and Twitter websites being hijacked. In both cases, although by the sound of it via different means, valid user login credentials
    were obtained and used to change the nameserver records – yet another case of password authentication by itself not being good enough. We have supported two factor authentication for a while and each breach like this just strengthens the call for this to be implemented much more widely

  3. Adeel Sami

    October 10, 2013

    Wow, that’s the unique tactic and very concerning they managed to reset the passwords as portraying themselves REAL ! They need to find out something like 2-factor authentication as @havenswifthosting:disqus suggested.

  4. Jawad Niazi

    October 11, 2013

    Thanks for sharing , I also faced the same problem with my sites which were hosted at myhosting.com , they didn’t hijacked my domain name servers but somehow they managed to change the index file of my site.

  5. Gudang Garam

    October 11, 2013

    so the attacker send fake email to reset password for domain panel ?
    then the email open new tab which fake login of domain panel ?

    so i can say that these big site got hacked by fake login only ?

    there is many big site got hacked by this technique.. but i really appreciated with this blog

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.