# !! Apple website defaced !!



## Tetano (Feb 8, 2005)

http://www.apple.com.pt/airport/index.html


----------



## pds (Feb 8, 2005)

dot com dot pt?


----------



## Tetano (Feb 8, 2005)

I think it's from Portugal...


----------



## bobw (Feb 8, 2005)

http://secunia.com/multiple_browsers_idn_spoofing_test/


----------



## davidbrit2 (Feb 8, 2005)

This isn't the IDN spoof. Check the page source, and try entering the supposed URL by hand in the address bar.

If apple.pt really is in fact Apple's Portugal site and not a mockup, then yes, it would appear the page was defaced. I'm not getting any useful whois information on the domain name, unfortunately.


----------



## Tetano (Feb 8, 2005)

don't understand the sense of your link... do you think it's a spoofed webpage?


----------



## Mephisto (Feb 8, 2005)

Not conclusive but I fell back on old reliable and googled for "Apple Portugal" and www.apple.com.pt was the first link.  Search for "Apple Portugal Airport" and it goes to the defaced page.  So yes, the Portugal Apple site seems to have a vandal.

EDIT: Also, in order for it to be a spoofed link Tetano would need to be the malicious party, which hardly seems likely.


----------



## Viro (Feb 8, 2005)

Looks legit. Apple.com.pt didn't just spring up overnight. http://uptime.netcraft.com/up/graph/?host=www.apple.com.pt

Unless they've been planning this for all of two years .


----------



## fryke (Feb 8, 2005)

Hm. On the other hand, apple.com.pt being the only Apple site with a banner in the favicon... Dunno... Well: Has anyone informed Apple? Got a response?


----------



## drunkmac (Feb 8, 2005)

Very interesting. If it we're singapore they'd cane the guy who did it


----------



## bbloke (Feb 8, 2005)

fryke said:
			
		

> Hm. On the other hand, apple.com.pt being the only Apple site with a banner in the favicon... Dunno... Well: Has anyone informed Apple? Got a response?


I'm not really able to say whether or not this was a genuine security breach but, in case it was (and therefore needed rapid attention), I did send a message to Apple about it using their feedback page.  No response, though, as I expected.

If this is for real, it unnerves me a little, but I guess nothing is invulnerable!


----------



## JetwingX (Feb 8, 2005)

i have been doing a bunch of whois searches and i am not seeing anything in relation to apple....


----------



## scruffy (Feb 9, 2005)

Interesting that they just did the airport page - perhaps they figured it would be up longer, as it would take longer to be noticed.


----------



## Viro (Feb 9, 2005)

It's still there. Funny that.


----------



## Natobasso (Feb 9, 2005)

Wouldn't apple know if one of their sites had been hacked, and taken it down a long time ago? I think it's a spoof.


----------



## symphonix (Feb 9, 2005)

I don't think this even is an Apple site. Just go to www.apple.com and look for any link to the Portugal site. Portugal is not in the list. Hence, this is not an actual Apple site.

It would also explain why the site is slow to load, especially on certain pages.

So, who pointed you to this link to begin with anyway?


----------



## Tetano (Feb 9, 2005)

I found the link on www.zone-h.org... i noticed that in the attacks archive there were some MacOSX websites defaced... in details, these sites were www.apple.com.pt/airport and another one, which i don't remember...


----------



## Mephisto (Feb 9, 2005)

symphonix said:
			
		

> I don't think this even is an Apple site. Just go to www.apple.com and look for any link to the Portugal site. Portugal is not in the list. Hence, this is not an actual Apple site.
> ...



You mean like this one? http://www.apple.com/euro/ 

It is a real Apple site, of that I have little doubt so let us end that line of argument. 

1) There is a link to it from the main Apple website.
2) It uses all of the current Apple graphics and layout, not counting the one page.  That is a lot of work.
3) It has a copyright for Apple at the bottom, not something a spoof site can legally do.
4) Heck, the Ausralian website is www.apple.com.au, are we going to argue that is fake as well?  (Link to it in the same dropdown as above.)

So one of the regional sites got hacked, it happens.  The only thing I find amazing is how long it has remained defaced.


----------



## symphonix (Feb 9, 2005)

Yes, the Apple Australia site is www.apple.com.au, but you'll find that Australia is linked off the main Apple page at www.apple.com. Portugal on the other hand is not.

Anyone else wonder about the strange Favicon? The fact that the store section of the site is "down briefly" for updates? The fact that some of the links don't match (such as the Apple-Home button on the store page)? Just look at the page source if you're still not convinced, and you'll see that apple.com is constructed with completely different coding using WebObjects, while apple.com.pt uses JavaScript to do the same things. Metadata is missing from the source, too.

Still not convinced, browse to any of the product pages, and view source. You'll find the site is pulling the CSS stylesheets from Apple UK & Ireland's servers to render the page.

I'm convinced this is some group of hopeless wannabes that want to gain hacker-points for hacking Apple's site, but since they couldn't do it, they faked it.


----------



## bbloke (Feb 9, 2005)

Hmmm, it looks genuine...

I sent another message, this time to Apple (Portugal) directly and I just received this reply:



			
				Apple said:
			
		

> Thanks for your warning, the problem has been corrected and we're seeing if there's other problems with the site.
> 
> Regards
> 
> ...


----------



## lnoelstorr (Feb 9, 2005)

Did anyone get a screenshot?  It seems to have been fixed now (or at least I can't spot anything wrong).

symphonix, it's not linked from the main page, but it is linked from their main European page (same with Greece, Romania, Croatia, ...).


----------



## Mephisto (Feb 9, 2005)

Again I pointed out a link to the Portugal site directly from Apple's main site.  Further do a little research on Apple IMC Portugal and you will find that it is an authorized dealer and that apple.com.pt is real.  Interlog (the company running the IMC in Portugal) does not seem too popular though.


----------



## bbloke (Feb 9, 2005)

lnoelstorr said:
			
		

> Did anyone get a screenshot? It seems to have been fixed now (or at least I can't spot anything wrong).


You can see what the defacing attack looked like here.  Nothing very exciting.


----------



## Convert (Feb 9, 2005)

For some reason, when I clicked the Store button, I got this:

"ATENÇÃO


A Online Store da Apple IMC Portugal encontra-se encerrada para remodelação, esperamos reabrir em breve, até lá pode-nos contactar através do email applestore@apple.com.pt"

I do not know portugese. Anyone care to translate that? Now, whenever I click another link it just continues to show that message and the URL doesn't change. But the tabs at the top do...


----------



## Viro (Feb 9, 2005)

Courtesy of Babel fish:


> "ATTENTION  The Online Store of the Apple IMC Portugal meets locked up for remodelling, waits to reopen in briefing, until can us there contactar through the email applestore@apple.com.pt "


----------



## Convert (Feb 9, 2005)

There's still this however.



EDIT: That's really odd. I was viewing the Apple PT page, and all the options under the tabs are now in English? i.e. in the Apple tab the items like "Hot news" are in English...
Huh?

EDIT Noomber 2: Thanks Viro. This site is acting so weird. Meh.


----------



## legacyb4 (Feb 9, 2005)

I get:

http://www.mac.com.pt/Airport/

Perfect.Br owns MAC


----------



## Mephisto (Feb 9, 2005)

legacyb4 said:
			
		

> I get:
> 
> http://www.mac.com.pt/Airport/
> 
> Perfect.Br owns MAC



That is funny and frightening at the same time apple.com.pt seems to be fixed but mac.com.pt is not.  (EDIT fixed second URL)


----------



## Convert (Feb 9, 2005)

Yay! I found a problem! Lol.


----------



## scruffy (Feb 9, 2005)

No suprise their store is down - if your website was hacked, and every time you fixed it it got hacked again, would you want your web server to be processing credit card transactions until you were good and sure it was fixed?


----------



## robjs (Feb 10, 2005)

I think it's not an Apple site, check the whois for the domain:

zem% whois apple.com.pt
apple.com.pt
Data de registo / Registration Date: 01/03/2002

Entidade Requerente / Domain Holder
   Interlog - Informática S.A.
   Estrada Nacional 6
   Edifício Firmo, Piso 1 Esq
   2720-517 Amadora
   Email: pedro.coutinho@apple.com.pt

Entidade Gestora / Body Managing
   Coltel - Servicos de Telecomunicacoes, Unipessoal Lda 
   Email: luis.melo@colt-telecom.es,luis.melo@colt-telecom.pt

Responsável Administrativo / Administrative Officer
   Joao Marques
   Email: joao.marques@colt-telecom.pt

Responsável Técnico / Technical Officer
   Luis Manuel Seara de Carvalho e Melo
   Email: luis.melo@colt-telecom.es,luis.melo@colt-telecom.pt

Nameserver Information
   Nameserver: ns0.pt.colt.net.
   Nameserver: ns1.pt.colt.net.


----------



## ksv (Feb 10, 2005)

robjs said:
			
		

> I think it's not an Apple site, check the whois for the domain:
> 
> zem% whois apple.com.pt
> apple.com.pt
> ...



It is indeed, but Apple is represented by other companies in many countries and do not have their own office.


----------



## bbloke (Feb 10, 2005)

I contacted the same guy at Apple Portugal about the http://www.mac.com.pt/Airport/ issue, and his reply was as follows:



			
				Apple said:
			
		

> Hi
> 
> This is a copy of the other site, so with the same flaw that was detected, it will be repaired
> 
> ...


----------

