BBC
'Serb hackers' on the rampage

Friday, 14 April, 2000


More than 50 websites have been taken over by what is suspected to be a group of Serb hackers.
The websites - which included such high-profile names as Manchester United and Adidas - were stripped of their content, and branded with the image of a double-headed eagle, with the words "Kosovo is Serbia".
Many of the sites were Yugoslav, Bosnian and Croatian. The Kosovo Albanian newspaper Koha Ditore and the Albanian site Kosovapress were also among those hacked.
In another development, the website of the Serbian Ministry of Information reported that it and other Yugoslav sites had been taken over.
It said "American-Albanian propagandists" had forged the entire English version of its site on Wednesday.
"In a planned and malicious action, regularly registered Yugoslav sites were taken over on the central server of an American firm involved in the registration of the internet domains," it added.
"Numerous sites of the Yugoslav providers, political parties and firms were attacked in a synchronised manner," it said.

Chance discovery
Most of the companies in the "Kosovo is Serbia" attack have since reclaimed their websites.
Manchester United believes the culprits were "cyber-squatters", who register internet sites in the names of celebrities or well-known companies, and then try to sell them back again.
An internet company which monitors domain names, WebDNS, spotted that the hacking was part of a sustained campaign.
Alex Jeffreys, the technical director of WebDNS, said he noticed that several high-profile web-sites were being hacked on Monday.
"I almost stumbled over it by chance, when I noticed that a number of large company domain names had changed ownership," he told News Online.
As he began checking details of some of the thousands of websites being supported by the server Webprovider Inc, he discovered more than 50 sites that had been hacked from the same address.

Hacked websites
- viagra.com
- eunet.com
- winston.com
- jamesbond.com
- indianajones.com
- mafia.com
- kosova.com
- yu.com
- slovenia.com
- bosnia.com
- sarajevo.com
- warcrimesmonitor.com
- arkan.com
- tudjman.com

The hacked websites had all been registered with Network Solutions, the world's largest register.
Mr Jeffreys said it appeared that the hackers had changed the contact details in Network Solutions' database on Sunday night.
The contact addresses were at first transferred to a Yugoslav address, and then on Monday night to an Albanian address.
"It seems that the Network Solutions database is quite open for hacking, rather than it being one company in particular," he said.

How the hackers worked
It is impossible to say exactly who the hackers are, or how they managed to breach databases that should be secure.
However, Mr Jeffreys said they probably sent spoof e-mails to Network Solutions, pretending to be from the company concerned, and requesting a change of address.
The requests for a modification are sent by an automatic e-mail form.
Although Network Solutions was not available for comment, a message on their answer machine said that "if you are making a registrar name change or contact modifications request" there would be delays while they "carefully review your request for change".



Original article