[ALBSA-Info] BBC: 'Serb Hackers' on Rampage

[Iris Pilika]

BBC World Service
Friday, 14 April, 2000, 01:24 GMT 02:24 UK

'Serb hackers' on the
rampage


More than 50 websites have been taken over
by what is suspected to be a group of Serb
hackers.

The websites - which included such
high-profile names as Manchester United and
Adidas - were stripped of their content, and
branded with the image of a double-headed
eagle, with the words "Kosovo is Serbia".

Many of the sites were
Yugoslav, Bosnian and
Croatian. The Kosovo
Albanian newspaper
Koha Ditore and the
Albanian site
Kosovapress were also
among those hacked.

In another
development, the
website of the Serbian
Ministry of Information
reported that it and
other Yugoslav sites had been taken over.

It said "American-Albanian propagandists" had
forged the entire English version of its site on
Wednesday.

"In a planned and malicious action, regularly
registered Yugoslav sites were taken over on
the central server of an American firm involved
in the registration of the internet domains," it
added.

"Numerous sites of the Yugoslav providers,
political parties and firms were attacked in a
synchronised manner," it said.

Chance discovery

Most of the companies in the "Kosovo is
Serbia" attack have since reclaimed their
websites.

Manchester United believes the culprits were
"cyber-squatters", who register internet sites
in the names of celebrities or well-known
companies, and then try to sell them back
again.

An internet company which monitors domain
names, WebDNS, spotted that the hacking was
part of a sustained campaign.

Alex Jeffreys, the technical director of
WebDNS, said he noticed that several
high-profile web-sites were being hacked on
Monday.

"I almost stumbled over it by chance, when I
noticed that a number of large company
domain names had changed ownership," he told
News Online.

As he began checking details of some of the
thousands of websites being supported by the
server Webprovider Inc, he discovered more
than 50 sites that had been hacked from the
same address.

The hacked
websites had all
been registered with
Network Solutions,
the world's largest
register.

Mr Jeffreys said it
appeared that the
hackers had
changed the
contact details in
Network Solutions'
database on Sunday
night.

The contact
addresses were at
first transferred to a
Yugoslav address,
and then on Monday
night to an Albanian address.

"It seems that the Network Solutions database
is quite open for hacking, rather than it being
one company in particular," he said.

How the hackers worked 

It is impossible to say exactly who the hackers
are, or how they managed to breach
databases that should be secure.

However, Mr Jeffreys said they probably sent
spoof e-mails to Network Solutions, pretending
to be from the company concerned, and
requesting a change of address.

The requests for a modification are sent by an
automatic e-mail form.

Although Network Solutions was not available
for comment, a message on their answer
machine said that "if you are making a registrar
name change or contact modifications request"
there would be delays while they "carefully
review your request for change".