Network Solutions is the common denominator in the redirects – it is the domain registry for all the affected sites. One of the companies, Avira, has issued a statement: "It appears that several websites of Avira as well as other companies have been compromised by a group called KDMS. The websites of Avira have not been hacked, the attack happened at our Internet Service Provider 'Network Solutions.'"
If attackers can get access to the DNS records at the registry, they can simply alter those records to point to a different server. The legitimate site remains untouched, but all subsequent visitor queries get sent to a server under the control of the attackers until the redirection is corrected. A similar style of attack was used by the Syrian Electronic Army against the New York Times via MelbourneIT earlier this year.
Avira explains how they think this was achieved. "It appears that our account used to manage the DNS records registered at Network Solutions has received a fake password-reset request which was honored by the provider. Using the new credentials the cybercriminals have been able to change the entries to point to their DNS servers."
It is not known if a similar method of attack was used against the other targets. AVG issued a brief statement yesterday: "AVG can confirm today that it has had a select number of online properties defaced as a result of our domain name system (DNS) registrar being compromised. A number of other companies appear to have been faced with a similar issue. The situation is being further monitored and assessed closely."
Last weekend Leaseweb described a redirection attack against itself that is now believed to be the first in this sequence. Leaseweb also uses Network Solutions. On 6 October it issued a statement on its blog: "The unauthorized name server change for leaseweb.com took place at our registrar on Saturday 5 October, around 19:00 hours CET / 1 PM EST. While the hijack was soon detected and mitigated, it took some time before our adjustments in the DNS cache were propagated across the internet."
Network Solutions, owned by Web.com, has so far said very little, but is reported by TechWorld to be aware of the issues and investigating. "Cybercrime today is rampant," said John Herbkersman, Web.com's senior director for public communications. "We just continue to try to do our best to bring in the best people and bring in the best equipment."
It would seem that this was an attack motivated by political hacktivism rather than financial gain. The purpose was to display a message which is effectively 'free Palestine.' It is believed that the server used to display the message to redirected visitors made no attempt to install malware. Indeed, KDMS Team subsequently boasted on Twitter, "850 000 one saw our message free #Palestine from the hacked sites its self."