It was a Saturday morning of November 2012 when I started observing tweets about Google Pakistan and Microsoft Pakistan websites getting hacked. I immediately checked both websites and they were really showing a message from some Turkish hacker. I did nslookup and nameservers were changed to some free hosting service provider. Obviously, Google and Microsoft were not hosting their websites on a free webhost. Actually they were not the only ones who were hacked, it was PKNIC. I quickly did a reverse whois, randomly checked a few of them. All of them were showing the same page. There were 284 domains pointing to those specific nameservers. What? 284 domains hacked and people are talking about just 2 domains. This must be a mega news. I quickly tweeted this:
Not only microsoft and google, 284 .PK domains managed by MarkMonitor have their DNS changed @propakistanipk @bytesforall @pakistanlawsite— Irfan Ahmad (@erfaan) November 24, 2012
The tweet went viral and picked up by many news agencies and blogs. There are still many tweets in twitter search results:
Many referenced me and many presented it without mentioning the reference pretending it as their own news.
Here are some of them:
- “it appears that 279 other sites in Pakistan were hacked by a group that appears to be Turkish and calls itself Eboz. Little else is known about Eboz” Techcrunch
- “Google, Apple, eBay and Yahoo were among almost 300 sites affected by a hack attack in Pakistan.” BBC
- “including google.com.pk, apple.pk, microsoft.pk and yahoo.pk. 284 sites were affected in total.” Slashdot
- “284 Pakistani domain names reportedly hijacked, affecting Google, Apple, and Microsoft” The Verge
- “Eboz has hacked over 284 .PK TLD’s this morning, and some of them are major websites like Google.com.pk, Apple.pk, PayPal.pk” gadgec
- “Google’s Pakistan site, 277 others hacked by Turkish hacker group Eboz” first post
- “Today could be the biggest event of the year in Pakistan, due to a change in the DNS entries for 284 Pakistani domains managed by MarkMonitor.” neowin
- “Microsoft.pk and 284 Other .PK Domains Get Hacked” PTE TECH
- “Yes, Google.Com.PK along with 284 other .PK domains were hacked today” Pro Pakistani
- “Yes, google.com.pk, along with 284 other .pk domains, was hacked today, reported Propakistani, a technology blog based in Islamabad.” Tribune Pakistan
- “A total number of 258 web pages with ‘pk’ domain names, managed by MarkMonitor, such as ‘.com.pk’, ‘.pk’ and ‘org.pk’ were hijacked on 23 November” New Europe
And some blogs & news sites in other languages which I don’t understand:
- “Πάνω από 280 δημοφιλή web sites στο Πακιστάν, έπεσαν θύματα τούρκων hackers, μεταξύ αυτών και δημοφιλείς υπηρεσίες όπως οι πακιστανικές σελίδες των Apple, Google, Microsoft και Sony.” PC Magazine Greece
- מבוכה גדולה לענקיות האינטרנט: יותר מ-280 שמות דומיין פקיסטניים פופולארים (pk.), נפרצו אמש (שבת) מסיבות שאינן ברורות עדיין. Geek Time Israel
Not only this, the 284 figure was also published by print media. Here is a news item from The News Pakistan (By Pakistan’s largest newspaper group):
So, as you can see that each and every news site and blog was after the news and everyone was publishing it in his own words. What went wrong here? Did anyone ask any of these blogs or news site for a list of 284 domains hacked? Did they publish such a list?
The confession part
I tweeted and went for my breakfast. After having the breakfast I decided to publish the list of these hacked domains. As I started reviewing the hacked domains list, I noticed that I made a big mistake while counting hacked domains. There were 2 name servers pointing to that specific free hosting provider and I counted all the domains pointing to any of those 2 name servers. So actually, there were just 142 domains each one counted twice. Now I was extra careful before publishing anything. I checked the name server change history of all of those domains and noticed that only 110 were changed in last 24 hours. What about rest of the 32 domains pointing to that specific name server? All of them were showing real websites hosted by that free hosting provider and they were not hacked. I verified twice and published the list here. My blog was getting a huge traffic spike at that time. A lot of news sites and blogs picked up the list immediately and updated their news articles. This is how the online news world works. They pick up the news items from whatever source they can get it and publish it immediately without verifying anything.