In a high profile attack led by the Syrian Electronic Army against the New York Times and other websites, users accessing the affected sites were redirected to servers under the attackers’ control. Users were redirected to pages hosting malicious content, and this was all made possible following spear phishing attacks against an Australian web domain registrar’s reseller partner when an employee’s credentials were compromised.
In late August consumers were not able to access New York Times’ website and several others for a few hours. Hackers, claiming to be the Syrian Electronic Army, were able to access and change the Domain Name System (DNS) records for, most notably, nytimes.com. Other web domains victimized by this DNS hijacking attack included huffingtonpost.co.uk, sharethis.com, and twitter.co.uk. As a result of the attack visitors to each of these websites were redirected to another server, and immediately following the DNS hijacking before it was recognized, users were redirected to pages hosting malicious content. Once the attack was recognized the domain was revoked and traffic was no longer directed to malware infected sites, but the victimized sites stayed down for several hours.
Each of the affected web domain names were registered and administered by the Australian company Melbourne IT. It was one of their resellers that fell vulnerable to a targeted phishing attack which ultimately led to the compromise of the partner company’s username and password used to access a reseller account on Melbourne IT’s systems. Once the attackers gained this access they changed the DNS records of several domains on the account. According to the CTO of Melbourne IT, the spear phishing attack might have affected multiple accounts and all recipients of the phishing email were required to update their passwords.
For more information: