Surprisingly enough, Google Pakistan’s home page (google.com.pk) is “hacked” by Turkish hackers putting a message which doesn’t make much sense if we read a translation. There’s a phrase in English which says “Pakistan Downed”, surprising coming from a friendly country like Turkey. Well, hackers will be hackers.
Screenshot of Defaced Google.com.pk. Click to enlarge
Upon investigating a bit, I realized it’s not the Google’s servers/data centres that have been compromised. It’s rather the infiltration in PKNIC’s database which is the official domain name registrar for Pakistani cTLD .PK domains. The conclusion was quick to make as the WHOIS record of google.com.pk point to some free hosting service as DNS providers which obviously can’t be Google.
It is still unclear how did the hackers manage to get into the user console of PKNIC. I am also unsure whether the password has been compromised or not. If the access to user console is lost, it could be until Monday to retrieve that because as far as I know PKNIC offices are closed on weekends especially on this one coinciding with public holidays of Ashoora. Not to mention the registrar works slow and takes a lot of paperwork for verification etc.
Even if Google Pakistan’s domain manager manages to retrieve the control and updates to correct DNS settings, it could still be several hours before propagation and restoration of Google Pakistan’s home page.
P.S. A weirdly cool song runs in the background of defaced page = )
Update 1: Microsoft.pk also among the defaced websites hacked using the same technique by same hackers. The PKNIC accounts compromised are apparently managed by MarkMonitor Inc, an American brand protection company. It’s been more than two hours and DNS still NOT fixed. Seems like my prediction’s right.
Update 2: After around 18 hours, Google.com.pk’s DNS settings in PKNIC’s database have been restored and the website has started coming back gradually. It might still take several hours for some visitors to access, because DNS propagation takes time.
Add paypal.pk and apple.pk to the list. 4 years back we had a similar incident where PKNIC’s systems were compromised:
http://touseef.com/pakistan/2008/08/11/meet-the-new-ex-owner-of-googlecompk-jangcompk-and-a-dozen-other-top-pknic-domains/
PKNIC does not seem to have learned any lessons from that incident.
Thank you for refresher Abdus Samad. I am aware of that hack Touseef was able to pull off 4 years back. However, that wasn’t through the DNS poisoning. Touseef was somehow able to manage to push domains into another account but being an ethical hacker, all he wanted was PKNIC to realize of the security lapses. But you’re right, PKNIC doesn’t seem to have learned their lessons.
This attack is not DNS poisoning either. DNS poisoning is where they attack the DNS server. That is not what they’ve done. No one has compromised google’s DNS servers( ns1.google.com etc. )
They’ve managed to hack into a PKNIC account via the PKNIC website just like Touseef did. They’ve then used the domain control panel to change the nameservers.