Hacking spree threatens ecommerce

Hackers have hijacked a series of high-profile internet sites in a move that security experts said could have serious implications for the development of ecommerce.

The hackers, who have not been identified, fooled domain name registrar Network Solutions into changing the registration of Domain Name System (DNS) servers at a range of sites causing a total loss of service.

Sites that were hit included those of Manchester United and adidas.

Front pages were replaced by a coat of arms with the title "Kosovo is Serbia", replacing corporate logos. The internet vandals also left the message "be happy if we hacked your site because we hack only the best sites on the internet".

Cheryl Regan, spokeswoman at Network Solutions, said: "There is an active investigation about unauthorised changes to domain registration which allowed people to effectively hijack websites."

Regan said Network Solutions had put in place measures to prevent the hijacking, but she admitted that the changes had not yet been eradicated as it takes several days for DNS changes to be updated throughout the internet.

She said suggestions that 2000 sites were affected were "much too high" but declined to give the actual figure.

Chris Royle, director at security integrator Objectronix, said implications of the domain name spoofing are serious because they show how easy it is to hijack and disable an ecommerce site.

"This is like someone walking into a bank without a debit card or ID and being given money from a stranger's account," said Royle.

In previous cases it was found that human error was to blame, where changes to domain registration could be made without any security checks taking place. Top-level registries need to start accepting greater responsibility, he added.

Paul Cronin, head of penetration testing at security consultants CenturyCom said: "This appears to be more a case of sloppy security procedures than poor technology."

He said that the hackers had probably made the change by sending a spoofed email from the address of the person who looks after the domain names and requesting changes to DNS server records.

Cronin said that Network Solutions must insist on verifying identities, and added that users should take up the option of providing instructions for domain name changes via encrypted emails.

"Security breaches such as these can be extremely embarrassing to the companies involved," said Cronin.