Pakistan’s internet-using population was slammed today with a systematic take-down of local versions of some of the world’s biggest names in tech, and several hours after first going down, Google.pk, Google.com.pk, Yahoo.pk, Apple.pk, Microsoft.pk still do not appear to be working. In all, it appears that 279 other sites in Pakistan were hacked by a group that appears to be Turkish and calls itself Eboz. Little else is known about Eboz, but it appears that Eboz has been hacking into many other sites, with Pakistan merely today’s target. [Update: It looks like Google, Cisco, Microsoft, eBay and others are coming back up now, with their nameservers back to their own from the previous "freehostia" hijack. PTE Tech has a running list of them.]
Here’s what else we have found:
A search in the Zone-h archive of defaced websites, notes hundreds of sites that have been defaced by Eboz — in all, the number totals 313, with 85 single IP and 228 “mass defacements.”. Many are Turkish but the full list covers a number of countries and top-level domains. This list doesn’t appear to contain today’s Pakistani list, meaning that Eboz is now linked to some 600 take-downs.
Eboz’s trek across the internet has been somewhat random. Other sites that post “hacked by Eboz” messages include a site called “Safe4Web,” and part of the site of Czech outdoor advertising company Sauveterre, and a membership page for a business called MG events. The Sauveterre page seems to date from 2009 — meaning Eboz, or the name at least, has been used for hacking for years already.
It’s not clear exactly what Eboz’s motive is. One question is whether there is a political angle. Softpedia reports that Eboz was also linked to several sites taken down earlier in the week in Israel. However, that group appeared to be Pakistani, while this one is Turkish.
And according to some of the messages that have been left, the takedowns do not appear to be political. One defaced site has a note seems to imply that the hack is primarily to highlight a security flaw: “Why we have wasted our time to hack Pakistani Sites? Just because let us convey our message. We warned you and we were willing to fix your vulnerability but you think we are jokers and you guys took it as a joke? Yes it’s time to bang you guys!!”
That last quote comes from the Softpedia story linked above, but I’ve not seen it used myself. Instead, what I have come across today’s Pakistani sites is a page with a photo of two penguins on a bridge and the cryptic message (via Google Translate) “eboz: of a friend always there for me / My homies have not shot by me with every breath.” Trabzon, mentioned at the bottom of the page, is a Turkish town on the Black Sea. Here’s what that page looks like (this is a screenshot of http://www.msn.org.pk/):
In many cases the companies have now taken down the sites altogether while they regain control.
On sites like Sauveterre’s the group also seems to imply that it is hacking for hacking’s sake: “No More Smile .. :) Sorry Guyz Was Just Bored. Don’t Panic It Happens All The Time, Just Secure Your Mind, Then Secure Your Shit.”
The root of today’s attack, it seems, came via a breach of Pakistan’s TLD operator, PKNIC, which administers all .pk domains. Looking at affected organizations via PKNIC’s look up, it appears that all the sites are now redirecting to two nameservers, dns1.freehostia.com and dns2.freehostia.com. Here’s Apple.pk for example:
Neither of those two freehostia sites appear to be working, either, which could point to the legit sites coming back online again soon.