Cyber Incident Victim: Yahoo Malaysia
Date:
Apr 2015
Location:
Malaysia
Summary
A group of Bangladeshi hackers using aliases Ne0-h4ck3r, TiGER-M@TE, and F0RTYS3V3N conducted coordinated defacement attacks against multiple high-profile domains, including Yahoo Malaysia, Google Images, YouTube, and Google Malaysia. The attackers replaced legitimate content with a message boasting their exploits and left contact information, marking their second successful compromise of Google Malaysia that same day through DNS redirection techniques. This followed their prior targeting of Google Kenya. The defacements involved redirecting visitors to hacked pages displaying their signature, though all affected services were restored shortly after the incidents. The hackers claimed responsibility through Zone-h mirror postings, though their specific motives remained undisclosed in the defacement notices.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 3 actors | Available to members | Available to members |
Description
On April 15, 2015, three Bangladeshi hackers using the aliases Ne0-h4ck3r, TiGER-M@TE, and F0RTYS3V3N executed coordinated defacement attacks against multiple high-profile domains, including Yahoo Malaysia (yahoo.my), Google Images Malaysia (images.google.com.my), YouTube Malaysia (youtube.my), and Google Malaysia’s nameserver (ns2.google.com.my). The attackers replaced the legitimate content of these domains with a defacement page displaying the message “Pwnd by! Ne0-h4ck3r, TiGER-M@TE and F0RTYS3V3N | Mirror on the wall | #Hackers r0x Lamers Sux | How are you? | Here we are again!” alongside contact information for one attacker ([email protected]). This marked the second compromise of Google Malaysia’s domain within 24 hours, following an earlier DNS redirection attack attributed to TiGER-M@TE. The hackers did not disclose motives in their defacement message. Zone-h, a website tracking digital defacements, publicly archived mirrors of all compromised domains as evidence, including http://www.zone-h.org/mirror/id/24043395 for yahoo.my. Historical attribution linked the same group to the 2013 defacement of Google Kenya’s domain, indicating a pattern of targeting regional subdomains of multinational platforms.
The incident raised operational and attribution challenges, particularly regarding yahoo.my’s ownership structure. While visitors to yahoo.my were routinely redirected to malaysia.yahoo.com, WHOIS records indicated divergent registration details between the two domains, leaving uncertainty about whether Yahoo Inc. directly controlled yahoo.my or if it belonged to a third party. This ambiguity complicated impact assessments of the defacement. All affected domains were restored to normal functionality by the time Hackread published its report on the incident. The defacements caused temporary service disruptions for users attempting to access the targeted Malaysian subdomains but did not extend to the global operations of Google, YouTube, or Yahoo. No data breaches, malware deployments, or persistent unauthorized access were reported in connection with the attacks, which appeared limited to surface-level website alterations. The use of Zone-h mirrors by the attackers served both as a tactical proof-of-compromise and a public record of their activities.