Hacked Comcast.net Leaves Users Without Email Access
Comcast.net, the portal of US communications provider Comcast, was hacked on Wednesday night. As a result of the attack Comcast subscribers were unable to access their email or other services through the portal for more than two hours. Comcast is the second biggest ISP in the US and a major provider of cable TV services.
The comcast.net front page was replaced by a greeting from hackers on May 28. The defacement was removed after more than two hours. Users were then confronted by a “page under construction” message before the site was restored in the early hours of Thursday morning. The site remained intermittently unavailable even after this time. The exact mechanism of the attack is still unclear, though an injected iFrame that served up content from sites under the control of hackers is suspected. Some form of DNS redirection attack may also have been involved.
Normally defacement attacks simply involve some text message or an image on a website. However, in the case of the Comcast attack it seems some attempt may have been made to snoop on its users’ login credentials.
There are still a lot of speculations about the details of this and why this happened. The defacement was claimed by 2 hackers who left the following message on a white blank page of Comcast.net: “KRYOGENIKS Defiant and EBK RoXed COMCAST sHouTz To VIRUS Warlock elul21 coll1er seven”.
Update: Not only the hackers hijacked Comcast’s domain name for three hours overnight, they also sent subscribers who tried to access webmail and other services to a rogue site that bragged of the exploit.
Comcast lost control of the comcast.net address after the attackers changed registration information stored by its domain registrar, Network Solutions. The unauthorized change redirected people attempting to visit the site to a page that read: “KRYOGENIKS Defiant and EBK RoXed COMCAST. sHouTz To VIRUS Warlock elul21 coll1er seven.” The page was displayed after the attackers altered the site’s IP resolution information, replacing Comcast’s IP address with the rogue address 209.62.20.186. In addition to their cryptic defacement, they altered the address for Comcast’s administrative contact to “69 dick tard lane, dildo room.”
Comcast said there was no immediate evidence that the attackers’ page tried to install malware or steal user credentials. But some reports claimed that email clients were redirected to the impostor address, requesting their login name and password.
It’s still unclear how the attackers accessed the registration settings on store with Network Solutions. A Network Solutions spokeswoman said the company is working with Comcast to figure out how the hackers obtained the login credentials to the account. Comcast is also working with unnamed law enforcement agencies to track down the attackers.
More on CyberInsecure:
May 29th, 2008 at 9:46 pm
Honestly, do hackers have a freakin life or do they spend their whole day sitting at a computer trying to f*** up peoples lives. How am I supposed to know i I got the job at Best Buy. Hackers need to get a life and needto get laid!
May 30th, 2008 at 2:56 am
According to DSLReports forums, the outage is still going on, for 24 hours already.
Thanks, Keith, for bringing this to our attention.