How the Legion could have hacked Vijay Mallya and Rahul Gandhi

Ramarko Sengupta December 10, 2016

Update: See Net4 India CEO Jasjit Sawhney’s response to this story here.

Security researchers are probing if hacker group Legion could have broken into the accounts of Congress Vice President Rahul Gandhi and fugitive Indian tycoon Vijay Mallya by exploiting security flaws on web hosting service Net4.

The common link between the two attacks, is Net4, an internet domain registrar and web hosting company, according to Kiran Jonnalagadda, a Bengaluru-based hacker and the founder of HasGeek.

New Delhi based Net4 India Ltd is a listed company and counts companies like ICICI Bank, Punjab National Bank, NDTV and India Today Group among its clients. If the company’s servers have indeed been breached then it poses a huge potential security threat to millions of people.

“If you host domains with Net4 now, GET THE HELL OUT NOW! They are the common factor between the Congress and Vijay Mallya hacks,” Jonnalagadda Tweeted.

We have reached out to Net4, and are awaiting a response on the story. The hack could be happening internally or from the outside, but it’s difficult to ascertain that right now, say security experts.

In a second Tweet, Jonnalagadda said: “If you host a domain with Net4, check your MX records. Are they pointing where they should be pointing? The attackers are intercepting email.”

FactorDaily was the first to report that the hacks were happening via email server and not Twitter. E-mails in transit can be intercepted by a method called DNS MX record hijacking. Domain name servers (DNS) are used to translate an internet address (say factordaily.com) into an internet protocol (IP) address which is understood by a computer. To send an e-mail to a recipient, the sender needs to identify the IP address of the receiver. The sender’s mail server asks for the MX record of the receiver to do that. On receiving the IP address, the sender proceeds to communicate with the receiver. In the case of an attack, the process is hijacked midway as shown in the diagram below by Elie.

How DNS MX record hijacking works
How DNS MX record hijacking works

Update: We checked the MX Records of both rahulgandhi.in and mallya.in. Both were hosted on Net4 servers last we checked (5.30 pm, 10 December 2016). Mallya’s e-mail is hosted by Net4, according to MX records we checked. And Rahul Gandhi’s email is currently on Google apps.

Gandhi’s domain name is registered to Anand Adkoli, who is the son-in-law of Veerappa Moily. Adkoli is supposed to be building the tech for congress, according to this Economic Times report. We’ve emailed Adkoli and are waiting for a response.

A Twitter India source told FactorDaily, “The Twitter accounts are legitimately logged into after gaining credential control from email. On our end we don’t see password hacks.”

“Self hosted email service providers are usually insecure with inadequate safeguards,” says Prasanna Venkatesh, a Bengaluru-based security professional. Many service providers don’t even provide https, short for HyperText Transfer Protocol over SSL (Secure Socket Layer), a more secure encrypted mode of communication.

It’s difficult to say if this was a targeted hack or opportunistic.

“It’s difficult to say if this was a targeted hack or opportunistic,” Venkatesh says. In a targeted attack, you build a profile of the a target by gathering as much information about the target as possible and then using different techniques and vulnerabilities. “It’s almost impossible to track them down because they spoof their IP address and so on,” the security expert says.

Legion that calls itself ‘The untouchable spy force’, has promised to leak data about the Indian National Congress and Vijay Mallya’s assets and bank details. In a series of tweets on Friday, Legion gave out alleged “partial” details of Mallya’s investments along with his address, phone numbers, email ids and passwords.

With inputs from Jayadevan PK

Update (2.55 PM IST): We added a second Tweet from Jonnalagadda to add context and tweaked the headline for accuracy.

Update (10.06 PM IST): Added two paragraphs with more details as pointed out in the story above.