How US domain registrar helped Iranian cyber army hack Baidu

A hacker who took down top Chinese search engine Baidu.com last month broke into its account with a U.S. domain name registrar by pretending to be from Baidu in an online chat with the registrar's tech help, according to a lawsuit filed by Baidu.

Support staff at the registrar, Register.com, then refused to aid Baidu when first contacted about Baidu.com redirecting users to a web page that declared, "This site has been hacked by the Iranian Cyber Army," the Baidu complaint alleges. The complaint was filed last month in US District Court for the Southern District of New York, but the court only recently released an unredacted copy of the complaint.

The complaint says Baidu's service was disrupted for five hours by the hack and seeks millions of dollars allegedly lost in revenue and other costs.

The attack began on the afternoon of 11 January when the hacker contacted Register.com tech help via online chat and claimed to be from Baidu, the complaint alleges. The attacker asked a support representative to change Baidu's email address on file. The representative then sent a confirmation code to Baidu's email account even though the hacker answered a security question incorrectly, the complaint alleges.

The attacker could not access Baidu's email account, so instead made up a confirmation code and sent it to the support representative when asked, the complaint alleges. Without comparing the two codes, the support representative took the bogus answer to be correct and agreed to the attacker's request to change Baidu's e-mail address on file to "antiwahabi2008@gmail.com", the complaint alleges.

"Incredibly," the complaint says, Register.com "thus changed the e-mail address on file from one that was clearly a business address and contained the name of the account owner, to an e-mail address that conveyed a highly politically charged message ('antiwahabi'), with the domain name ('gmail.com') of a competitor of Baidu, at the request of an individual who not only could not produce the correct security verification, but actually produced false information twice."

It's unclear exactly what 'antiwahabi' refers to, but the spelling matches that of the strict Wahabi Muslim religious sect. Baidu did not immediately reply to a request for comment.

The attacker then used the reset function for forgotten passwords to have Register.com send a new password for Baidu's account to the changed email address, the complaint alleges. The attacker then changed the settings in Baidu's account to reroute visitors to a different web page - completing a process that took less than one hour, the complaint says.

Register.com did not immediately reply to a request for comment, but the company last month called the Baidu lawsuit "completely without merit" and said it was working with law enforcement officials investigating the crime.

Domain registrars like Register.com sell domain names, such as Baidu.com, and provide the setup needed for them to lead visitors to the correct Web site.

The release of the unredacted complaint was reported earlier by Domain Name Wire, which posted a copy of the document.

"It's as if they asked you the last four digits of your Social Security number and you made something up and they didn't verify," said Andrew Allemann editor of Domain Name Wire, in an interview. A registration service that requires extra authentication could have prevented the attack, he said.

Similar attacks have hit other companies in the past. In 2008, for instance, an intruder altered the domain records of payment processor CheckFree after logging into an account that belonged to it.

"The sad thing is that companies don't think about this until it's happened to them and then they go scream bloody murder," said Allemann.

Baidu is by far the top online search provider in China and accounts for as much as three out of four searches in the country, according to local consultancies. Google takes a distant second place and its future in the country is unclear. Google last month said it planned to stop censoring results on its China-based search engine, even if that means being thrown out of the country. Google.cn is still censoring search results, but the company has said it is in talks with the government.