probably attacked from U.S. domain registrar, says researcher

Most likely reason for Chinese search giant's outage: Username/password for pillaged

The attack that took China's biggest search site offline yesterday was most likely carried out by modifying Baidu's records at, the search engine's official domain registrar, a security researcher said today. was unavailable part of Monday, but early in the outage the site displayed a message that read: "This site has been hacked by Iranian Cyber Army," according to a report on the People's Daily, the Web site of the Chinese Communist Party's official newspaper.

The group was the same that had taken responsibility for an attack against last month that redirected the micro-blogging service's traffic to a domain that hosted the same message.

"It looks like's DNS was changed at the registrar level," said Jeremy Rossi, a partner in Praetorian Security Group, a New York City-based security consultancy. Praetorian's partners, including Rossi and Daniel Kennedy, published an analysis yesterday of the attack on their company blog.

Rossi said that it was impossible to know for certain whether the Chinese search site's DNS information had actually been changed at -- the registrar of record -- but that that was the most likely explanation. did not respond to a request for comment.

"The interesting thing is that although doesn't control the .com servers, they do control the technical log-in to Baidu's [DNS] servers," said Rossi.

His bet is that the hackers who use the "Iranian Cyber Army" moniker managed to obtain a username and password that allowed them to access's records for Baidu, perhaps by successfully phishing an employee of the U.S. domain registrar, or one of Baidu's workers. "That's the most common vector for something like this," said Rossi. "It's easier to pull off [than directly hacking DNS]."

The same method was behind the December 2009 Twitter attack, according to the company that manages Twitter's DNS (Domain Name System) servers. The company claimed that an authorized Twitter account was used to switch the service's DNS records.

Rossi's assumption was that once armed with a username and password to's account at, the hackers modified the DNS records to point to their own, which in turn directed users of the search engine to various systems that hosted the Iranian Cyber Army message.

DNS records act like a telephone directory for the Internet, matching domain names, such as, with the IP addresses used by that domain's servers.

Attacks based on modifying DNS records may seem to be on the uptick, but they're not, said Rossi. "This has been going on as long as we've had DNS, but now they're moving up the chain to larger companies, and so they're more prominent," he said.

But Web-based firms should take a lesson from the likes of Twitter and Baidu, Rossi said. He urged companies to demand access control that relied on more than just a username and password. "Baidu's entire business is based on their DNS being always right," he said. "Two-factor authentication isn't perfect, but it sets the bar [for attackers] that much higher," he said.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, send e-mail to or subscribe to Gregg's RSS feed .

Copyright © 2010 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon