Spear phishing led to DNS attack against the New York Times, others
Hackers managed to compromise the login credentials for a Melbourne IT domain reseller responsible for the affected domains
IDG News Service - The cyberattack that resulted in nytimes.com and some other high-profile websites being inaccessible to a large number of users Tuesday started with a targeted phishing attack against a reseller for Melbourne IT, an Australian domain registrar and IT services company.
The attack resulted in hackers changing the DNS (Domain Name System) records for several domain names including nytimes.com, sharethis.com, huffingtonpost.co.uk, twitter.co.uk and twimg.com -- a domain owned by Twitter -- Jaime Blasco, director of the research lab at security firm AlienVault, said Tuesday in a blog post.
This resulted in traffic to those websites being temporarily redirected to a server under the attackers' control.
Hackers also made changes to the registration information for some of the targeted domains, including Twitter.com. However, Twitter.com itself was not impacted by the DNS hijacking attack.
A hacker group called the Syrian Electronic Army (SEA) that publicly supports Syrian President Bashar al-Assad and his government took credit for the attack via Twitter. During the past several months the group broke into the websites or Twitter accounts of several media organizations including the Financial Times, the Associated Press, The Guardian, BBC and Al Jazeera.
Initial information suggested that the systems of Melbourne IT, the company through which all of the affected domain names were registered and administered, might have been hacked. However, the company later revealed that it was one of its resellers whose account was actually compromised.
"The credentials of a Melbourne IT reseller (username and password) were used to access a reseller account on Melbourne IT's systems," Tony Smith, general manager of corporate communications at Melbourne IT, said Wednesday via email. "The DNS records of several domain names on that reseller account were changed, including nytimes.com."
The name of the reseller was not disclosed.
According to Smith, the affected DNS records have been reverted back to their original values and have been locked from further modification at the .com registry level. The .com registry and DNS zone are operated by VeriSign.
In a subsequent statement sent via email, Bruce Tonkin, the chief technology officer of Melbourne IT, revealed that the compromise was the result of a targeted phishing attack that might have affected multiple accounts.
"We have obtained a copy of the phishing email and have notified the recipients of the phishing email to update their passwords," Tonkin said Tuesday via email. "We have also temporarily suspended access to affected user accounts until passwords have been changed."
Some users likely remained affected by the attack even after the DNS records were corrected by Melbourne IT in its system, as the recursive DNS servers of their ISPs continued to serve the compromised records from cache until their time-to-live (TTL) value expired. Because of caching, DNS record changes can take up to 24 hours to propagate through the entire Internet.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- Accelerating Network Convergence in Virtualized and Cloud Data Centers Adopting a converged networking strategy enables organizations to traffic server and storage I/O workloads on consolidated data throughput channels. Intelligent software helps optimize...
- Omnichannel: From Buzzword to Strategy Customers demand a seamless experience across channels, especially mobile. Read this whitepaper for a research-based framework for using omnichannel for higher customer engagement.
- How 10GbE Network is the Backbone of the Virtual Data Center The shift to a virtual data center has put tremendous strain on legacy networks; driving the need for more speed, lower latency, more...
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Cybercrime and Hacking White Papers | Webcasts