Betfair DNS hack

More info:

http://nakedsecurity.sophos.com/2011/09/04/dns-hack-hits-popular-websites-telegraph-register-ups-etc/

Never have understood why they hide stuff from us.

Looks far worse if it's found out by third parties.

Never mind that, our Betfair logins may well have been found out by third parties.

Due to Betfair's uncaring attitude towards security, if you were logged into the site and then tried to visit Betfair during this attack, your login cookies have been sent to a hacker. The hacker (if they cared) would be free to place bets using your account.

This is entirely avoidable, it would have been prevented if Betfair used a proper, secure site that used SSL everywhere. (Sure, access to the site would have been disrupted but our accounts would not have been put at risk).

Betfair's statement:

There is no evidence to suggest that following the incident with our DNS provider that our customers have been put at risk.

i.e. they don't know if anyone's account has been hacked yet, but it is indeed possible.

I'm slightly confused as to why (as far as i have seen) no-one on the forum has mentioned they were actually redirected at any stage to this Turkish hacker's graffiti page. Was anyone actually affected or have I misunderstood what's happened.

1. Even though Betfair use the DNS provider that was hacked the hackers may or may not have specifically redirected Betfair to a defaced page.

2. Betfair users browsers were probably caching the proper IP address. This means that only new visitors to Betfair may, or may not have seen the defaced page. Regular betfair visitors may not have picked up the redirect because their device was directing them to the correct place.

Either way DNS issues like this are serious. If the turkish hackers were not doing it for fun there could be hundreds of thousands of compromised accounts over the next few days. Don't underestimate that there could be a smash and grab of cookies / direct logins that are sold on in the next few days.

Best advice:

ping betfair.com

check the ip address whois details to confirm that you are connected to betfair.

change your password.

How to suspend account? Anyone knows?

I have just tried to ping betfair.com and it say's destination unreachable. What does that mean?

Call the betfair helpdesk 0844 871 0000 to get your account suspended.

ping destination unreachable, or timeout message. That is fine to be timed out. What you do want to see though is the IP address at the top

Pinging betfair.com [84.20.200.28] with 32 bytes of data:

If you don't see that try

tracert betfair.com

You can flush your DNS cache on Windows by opening a command prompt and typing: ipconfig /flushdns

Good advice from P. Phil, would definitely advise rotating your passwords.  The login request on the Betfair site is secure (https) but that's it.  Bet placement is insecure, it's only protected by the mathematical obscurity of your session token given to you upon login.  So if someone has your session token (available in any clear text request after you have logged in to www.betfair.com or similar) while you have an active session there is a vulnerability there.  This is nothing new, there was a Firefox plugin called Firesheep that is used to hijack Facebook/Twitter etc accounts if you use public Wifi (In Starbucks etc).  The only difference here is there's a ton of people's money involved as opposed to updating your mate's LOL Facebook status :) The Betfair API is entirely secure with every transaction being over https.

After following pp instructions i get 2 destination net unreachables along.Along with timed out.
The address i get is [84.20.200.9]
It then says packets sent 4
packets received 2
packets lost 2
Is this a problem as i dont have much clue what it means.
Thanks for any advise.

You're good to go RED68.  That's the right IP address.  Betfair doesn't answer pings so ignore everything except for the IP address that came back.

Thanks for your help frimley1.

this seems like yet another wake-up call to BF regarding security to me. totally beyond their control that this hack *appears* not to have led to a fake log-in page.

given the amounts of money necessarily involved in some people's accounts, I surely can't be the only person thinking that something a bit more bombproof is required?

On the subject of passwords - what password management software do people recommend?

A quick google shows that there is plenty of free software out there (Keepass, Lastpass, Roboform). Is this software any good?

I use KeePass and it works fine.

I was someone who was redirected to the hacker's page and the Betfair update on the situation seems flippant to me:

Last night (Sunday 4 September) our DNS provider, Netnames, appears to have been compromised and as a result the Betfair.com site – along with a number of their other clients’ sites including telegraph,co.uk, the UPS site and Acer to name a few

so is the fact that a handful of other well known companies were affected meant to make me feel better? i don't have five figure balances with them

It's important to note that the websites themselves have *not* been hacked.  Instead of managing to breach the website, the hackers have managed to change the DNS records for the various sites affected .....  someone changed the lookup, so when you entered Betfair.com into your browser you were instead taken to a website that wasn't under the control of Betfair.

Oh that's ok then, so i was only redirected to a third party when trying to visit the site. It's not clear what their aims were last night but if they had wanted to put up a mock betfair frontpage and harvest usernames and passwords i'm guessing it wouldn't have been too difficult given they had already managed to redirect site traffic?

What time did all this happen?

i was redirected just after 10pm

Thanks ace. I think I logged out around 7 p.m. Don't know if that makes me safe.

They are probably hoping this just blows over. There's no way to tell what the hackers logged thus it'll only be evident when/if accounts are hacked in time.  Definitely change your passwords, an easy step to help protect yourselves.

"if you were logged into the site and then tried to visit Betfair during this attack, your login cookies have been sent to a hacker. The hacker (if they cared) would be free to place bets using your account."

Only if
1) You were routed to the fake server
2) You were logged in in the first place
3) You had money in your account. You need to enter your password to add funds.

I imagine betfair has already reset cookies as a precautionary measure.

Besides, https://www.betfair.com works, if you're security conscious use that instead, a warning would pop-up if an issue like this were ever to arise again.

unfortunately using the https prefix to get straight to the sports page seems to result in a half empty page being returned.

I see what you mean. Clicking on links from https://www.betfair.com/ also redirects to non https sports.betfair.com

Maybe they should consider sorting that out and encouraging users to use https all the time.

Only if
1) You were routed to the fake server
2) You were logged in in the first place
3) You had money in your account. You need to enter your password to add funds.


Well, duh. If you have no money in your account, you don't have any to lose. Yesterday was clearly a great day for having a Betfair account with no money in it and not being logged in to Betfair.

I see what you mean. Clicking on links from https://www.betfair.com/ also redirects to non https sports.betfair.com

That's interesting, it looks like Betfair may have started to try and get the site running on https:// - an encouraging sign, shame it doesn't work fully yet.

Maybe they should consider sorting that out and encouraging users to use https all the time.

Yes!

Well, duh. If you have no money in your account, you don't have any to lose. Yesterday was clearly a great day for having a Betfair account with no money in it and not being logged in to Betfair.

No duh really, your first post assumed that anyone logged in would get the funds cleared out their account, which is quite a big assumption that was worth responding to; particularly for those reading who don't know any better.

No duh really, your first post assumed that anyone logged in would get the funds cleared out their account, which is quite a big assumption that was worth responding to; particularly for those reading who don't know any better.

And so you helpful responded and pointed out that people who weren't logged in, who had no money, or who didn't visit the site weren't at risk. Very reassuring to those of us logged in, who couldn't access the real Betfair, and have money in our accounts.

The danger was and is real. If I try to view a market on Betfair and someone else sees that traffic, whether it be through a DNS hack like yesterday, or whether I'm using a public WIFI connection, that person has all the information they need to place bets on Betfair with my account. A rush of deliberately bad bets could clean out an account. A well-planned attack could ensure that someone else's account made a tidy profit from it.

Feck N. Eejit
05 Sep 11 11:57
Joined:
10 Jan 02
| Topic/replies: 4,924 | Blogger: Feck N. Eejit's blog
I use KeePass and it works fine.


Cheers Feck - I'll check it out.

surely your getting wound up at the wrong people here.

This hack is nothing to do with Betfair, it is down to the security with Netnames.  If they can't keep their records safe then most of the worlds websites are open to redirection.

It's rather worrying as by changing the DNS records those traits that people normally look for in phising attacks such as the address in the bar being different from expected aren't there.

as has been said, betfair left the security door open by not using https across the site. If no one is affected then its by pure luck on betfairs part.

Anyone know why third party (netnames) are looking after betfairs dns records anyway? What do banks do?

What do banks do? This hack has explained why my bank has a picture and phrase thing when I log on.  I thought it was anti-phishing which annoyed me a bit as I never fall for any of that, but this incident explains what they might be trying to prevent.  It is a 2 stage logon though first a username then the picture/phrase pops up, then another number and password.  The whole dns thing looks like a huge security problem though and more people should be made aware of it.

I use Rapport, which I got from my bank and is supposed to indicate whether or not you're on a phishing site. With the DNS records being changed, would rapport know that you're logging on to an erroneous site?

Unfortunately this hack would not have been stopped by something like Rapport.  The real DNS for Betfair was changed thus it looked legit.

Agree with some comments on the state of this site's security.  Banks are on the reactionary trailing edge of security really in as far as their security enhancements are largely driven by closing holes discovered by continually innovative exploits.  You'd think a tech company like this one would pride itself on leading the way - in reality it's complacent or misguided, the consequence of which is it's a sitting duck.

frimley1 - glad someone else recognises the problem with unencrypted session cookies on this site.

do betfair/ did betfair ever offer wireless access to its customers on jollies at certain sporting events?