As I'm writing this, Avira's main page still sports the group's pro-Palestinian message, and AVG's and WhatsApps' can't be reached.
The hackers' aim seems to be to simply bring attention to the plight of Palestinians and, as has been confirmed, the Avira defacement was not a result of website hacking but that of the company's ISP Network Solutions.
Chances are good that the other defacements have been executed in the same way.
“It appears that our account used to manage the DNS records registered at Network Solutions has received a fake password-reset request not being initiated by anyone at Avira,” shared Avira's security expert Sorin Mustaca. “Network Solutions appears to have honored this request and allowed a 3rd party to assume control of our DNS. Using the new credentials the cybercriminals have been able to change the entries to point to their DNS servers.”
"Once an attacker has control of the NS records, they may also change MX records and redirect e-mail, or in the case of an antivirus company like Avira change the addresses used to download signature updates," pointed out ISC handler Johannes Ullrich. The good news is that the defaced sites do / did not include or point to malware.
But Mustaca didn't say whether something like that happened, just that they have shut down all external services until the original DNS entries are restored.
The group is apparently the same one that performed a DNS hijack of the official website of LeaseWeb hosting firm earlier during the weekend and, if the attacker's Twitter account is to be believed, Alexa and Redtube were also targeted earlier this week.
"AVG can confirm today that it has had a select number of online properties defaced as a result of our domain name system (DNS) registrar being compromised," commented the company.
"A number of other companies appear to have been faced with the similar issue. The situation is being further monitored and assessed closely. Customers are our priority, the DNS records have been corrected and AVG is working hard to resume normal service levels to its customer base and continue to protect our customers and their privacy.”
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.