Malaysia Airlines claim DNS hijacked, site not hacked, but attackers threaten data dump

Hackers hijacked the DNS of Malaysia Airlines, so visitors to the URL saw two different '404 Not Found' defacements. Yet Malaysia Airlines claimed its 'website was not hacked' and customer data 'remains secure.' The attackers say that's not true and threatened to leak stolen data.

Malaysia Airlines
Credit: Adib Wahab

“404 – Plane Not Found” was part of one twisted message that greeted people who visited the Malaysia Airlines website. Later, users saw an image of a pipe-smoking tuxedo-wearing Lizard.

While it’s not clear if it’s true, Lizard Squad tweeted that it was “going to dump some loot found on malaysiaairlines.com servers soon.” Another tweet included a link to imgur, but the screenshot has since been deleted. USA Today reported that it looked like a “passenger flight booking from the airline’s internal email system.” That directly conflicts with Malaysia Airlines tweeting, “User data is secured.”

Users who surfed to www.malaysiaairlines.com first saw “404 – Plane Not Found” followed by “Hacked by Cyber Caliphate.” The Lizard Squad Rap music played automatically in the background. The browser tab included the website title referencing ISIS, although that might simply be the hackers trolling for controversy.

404 not found Malaysia Airlines DNS hack screenshot

“ISIS will prevail” is the website title listed for Malaysia Airlines, according to a quick Whois check that also shows it was last updated today, Jan. 26.

ISIS will prevail Malaysia Airlines website title DomainTools

A discussion on Hacker News debated whether or not Akamai or Cloudflare name servers were serving up the defaced pages. (More about DNS resolution was covered in a 2012 post using Malaysia Airlines as a sample CDN client of Akamai.) Although Malaysia Airlines did not go into the details of its name servers being compromised, it did admit its DNS was hijacked.

The first defacement sent “Greetz 2” the hacking groups Lizard Squad and UGNazi as well as Nathan Nye and Henry Blair Strater. The center of the page suggested following CyberCaliphate on Twitter and then listed @UMGRobert and @UMG_CHRIS.

Later, visitors to the Malaysia Airlines site saw a pipe-smoking tuxedo-wearing Lizard image above “Hacked by Lizard Squad – Official Cyber Caliphate.”

Malaysia Airlines hacked by Lizard Squad Wayback Machine

Since both images included the Twitter handles @UMGRobert and @UMG_CHRIS, two men from the online gaming event company UMG, the Wall Street Journal said, “Malaysia Airlines had its website hacked by a group that appeared to be trying to settle a score with a U.S. videogame company.”

Chris Tuck, aka @UMG_CHRIS, told WSJ, “We were not involved in any website being hacked in any way. The group who did it is a group of kids who aren’t fond of our company. I presume they added our names to either scare us or warn us.”

“You may experience difficulty accessing our website,” Malaysia Airlines admitted in a tweet, before directing users to a specific URL to book fares. Two hours later, @MAS tweeted, “User data is secured.”

Malaysia Airlines said it was not hacked  Malaysia Airlines

On Facebook, Malaysia Airlines said its website was not hacked, but its DNS was hijacked. The message confirmed that Malaysia Airlines’ “Domain Name System (DNS) has been compromised where users are re-directed to a hacker website when www.malaysiaairlines.com URL is keyed in.” It added, “Malaysia Airlines assures customers and clients that its website was not hacked and this temporary glitch does not affect their bookings and that user data remains secured.”

Lizard Squad, which took responsibility for DDoS attacks against Sony’s PlayStation Network and Microsoft's Xbox Live on Christmas, claimed Malaysia Airlines was lying about breach.

Lizard Squad claims Malaysia Airlines is lying about breach @LizardMafia

The hacking group had previously tweeted a link to a screenshot of a passenger travel itinerary. If that is the case, then more than the airlines’ name servers were compromised. Although the image has since been vaporized, the Associated Press said the booking was made in October by Malaysian Amy Keh.

"I am a bit worried about their security. Now the whole world knows that they will be going to Taipei," said Keh, who logged on Monday to check the itinerary. She said the website looked different and called the airline, which told her of the hacking. However, she only found out when contacted by The Associated Press that the travel information was posted online. 

The hacking group later tweeted that it would leak stolen airline data.

Lizard Squad claims it will leak stolen airline data @LizardMafia

As you likely recall about Malaysia Airlines, Flight MH370 disappeared in March 2014. In July, Flight MH17 was shot down over Ukraine.

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
Windows 10 annoyances and solutions
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.