Menu
Spear phishing led to DNS attack against the New York Times, others

Spear phishing led to DNS attack against the New York Times, others

Hackers managed to compromise the login credentials for a Melbourne IT domain reseller responsible for the affected domains

The cyberattack that resulted in nytimes.com and some other high-profile websites being inaccessible to a large number of users Tuesday started with a targeted phishing attack against a reseller for Melbourne IT, an Australian domain registrar and IT services company.

The attack resulted in hackers changing the DNS (Domain Name System) records for several domain names including nytimes.com, sharethis.com, huffingtonpost.co.uk, twitter.co.uk and twimg.com -- a domain owned by Twitter -- Jaime Blasco, director of the research lab at security firm AlienVault, said Tuesday in a blog post.

This resulted in traffic to those websites being temporarily redirected to a server under the attackers' control.

Hackers also made changes to the registration information for some of the targeted domains, including Twitter.com. However, Twitter.com itself was not impacted by the DNS hijacking attack.

A hacker group called the Syrian Electronic Army (SEA) that publicly supports Syrian President Bashar al-Assad and his government took credit for the attack via Twitter. During the past several months the group broke into the websites or Twitter accounts of several media organizations including the Financial Times, the Associated Press, The Guardian, BBC and Al Jazeera.

Initial information suggested that the systems of Melbourne IT, the company through which all of the affected domain names were registered and administered, might have been hacked. However, the company later revealed that it was one of its resellers whose account was actually compromised.

"The credentials of a Melbourne IT reseller (username and password) were used to access a reseller account on Melbourne IT's systems," Tony Smith, general manager of corporate communications at Melbourne IT, said Wednesday via email. "The DNS records of several domain names on that reseller account were changed, including nytimes.com."

The name of the reseller was not disclosed.

According to Smith, the affected DNS records have been reverted back to their original values and have been locked from further modification at the .com registry level. The .com registry and DNS zone are operated by VeriSign.

In a subsequent statement sent via email, Bruce Tonkin, the chief technology officer of Melbourne IT, revealed that the compromise was the result of a targeted phishing attack that might have affected multiple accounts.

"We have obtained a copy of the phishing email and have notified the recipients of the phishing email to update their passwords," Tonkin said Tuesday via email. "We have also temporarily suspended access to affected user accounts until passwords have been changed."

Some users likely remained affected by the attack even after the DNS records were corrected by Melbourne IT in its system, as the recursive DNS servers of their ISPs continued to serve the compromised records from cache until their time-to-live (TTL) value expired. Because of caching, DNS record changes can take up to 24 hours to propagate through the entire Internet.

DNS hijacking attacks can affect users beyond just preventing them from accessing a website, because they also allow attackers to redirect users to malicious content. Users affected by the attack against nytimes.com were redirected to a server hosted in an IP (Internet Protocol) address range that is associated with malicious attacks, but it doesn't seem they were actually served malware.

"Technical teams from CloudFlare, OpenDNS and Google jumped on a conference call and discovered the site to which the NYTimes.com site was redirected was in Internet space (the IP addresses) full of phishing and possible malware, although no malware distribution was witnessed," Matthew Prince, CEO of website optimization and security firm CloudFlare, said in a blog post.

In the blog post, Prince initially wrote that it appeared the site hosted malware. He later corrected the post.

In order to prevent rogue modification of DNS records, domain owners can ask their registrars to put registry locks in place for their domains, like Melbourne IT did for nytimes.com and the other affected websites. This lock is placed at the registry level, meaning with those companies that administer the .com, .net, .org, and other domain extensions.

"Registrars generally do not make it easy to request registry locks because they make processes like automatic renewals more difficult," Prince said. "However, if you have a domain that may be at risk, you should insist that your registrar put a registry lock in place. It's worth noting that while some of Twitter's utility domains were redirected, Twitter.com was not -- and Twitter.com has a registry lock in place."

SEA claimed Wednesday on Twitter that they hacked Melbourne IT's blog site. A message left on the site read "Hacked by SEA, Your servers security is very weak," suggesting that the hacker group might still have some level of access to Melbourne IT's systems.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags securityinternetmalwareGoogletwitterservicesMelbourne ITintrusionnew york timesOpenDNSAccess control and authenticationCloudFlare

Featured

Slideshows

Meet the leading female front runners of the Kiwi channel

Meet the leading female front runners of the Kiwi channel

Reseller News honoured the leading female front runners of the New Zealand channel at the 2018 Women in ICT Awards (WIICTA) in Auckland. The awards honoured standout individuals across seven categories, spanning Entrepreneur; Innovation; Rising Star; Shining Star; Community; Technical and Achievement.

Meet the leading female front runners of the Kiwi channel
Meet the top performing customer-centric Microsoft channel partners

Meet the top performing customer-centric Microsoft channel partners

Microsoft honoured leading partners across the channel following a year of customer innovation and market growth in New Zealand. The 2018 Microsoft Partner Awards recognised excellence within the context of the end-user, spanning a host of emerging and established providers.

Meet the top performing customer-centric Microsoft channel partners
Reseller News launches new-look Awards at 2018 Judges’ Lunch

Reseller News launches new-look Awards at 2018 Judges’ Lunch

Introducing the Reseller News Innovation Awards, launched to the channel at the 2018 Judges’ Lunch in Auckland. With more than 70 judges now part of the voting panel, the new-look awards will reflect the changing dynamics of the channel, recognising excellence across customer value and innovation - spanning start-ups, partners, distributors and vendors.

Reseller News launches new-look Awards at 2018 Judges’ Lunch
Show Comments