As you probably are aware, the New York Times Web site was recently hacked. Actually, that's not quite accurate. It was the New York Times' domain registrar, IT Melbourne, that got hacked. Wait, sorry, that's not quite right either. It wasn't IT Melbourne but one of its domain resellers that got hacked. And they got fooled by one of the oldest tricks in the book.
The phishing email.
The attack allegedly carried out by the Syrian Electronic Army started with the simplest and most effective hacking trick known to geekdom: social engineering.
The U.S.-based sales partner's credentials ended up in the hackers' hands after a targeted phishing attack was directed at the firm's staff, Melbourne IT Chief Technology Officer Bruce Tonkin said early Wednesday. Essentially, several people at the U.S. firm were duped by emails that coaxed them into giving up log-in credentials.
It appears that gaining access to the reseller's account gave the attackers access to the domain control panel at IT Melbourne, which allowed them to change the DNS settings for many sites, including some belonging to the New York Times, Huffington Post, and Twitter. Changing those settings meant that anyone who typed www.nytimes.com into their browser was redirected to a site that distributed malware. It's like someone programming your phone so that when you dial your home number you end up calling a $4 a minute psychic hotline.
The attack was both sophisticated — going through a registrar sales partner to attack a major media site takes some careful planning - and ridiculously simple ("click on this, you dolt").
The first phishing attacks appeared in the mid 1990s. There have been probably a few trillion since then. So you'd think people would be well aware of them by now. But you'd be wrong.
This is much more common than you might think. Up to 30 percent of users will click on a link in email regardless of how unsafe it may be, notes Stu Sjouwerman, founder ofKnowBe4, which trains its clients how to recognize phishing attacks.
Attackers may send spam that looks like it came from corporate email address, luring employees to a fake site where they give up their log-in credentials. Often it's the CEO or CFO who gets snared, he adds.
"C-level executives are the biggest targets and the easiest to socially engineer," he says. "Attackers will even target their home networks and install software that captures their passwords. The next time the CFO logs into work from home — bingo, they're in."
This is why phishing emails are still the most common form of social engineering attack, nearly two decades after they first appeared. Most enterprises know enough to harden their systems, fortify their firewalls, and deploy mitigation measures when attacked. But human beings are always the weakest link in any security chain.
Sign up for Computerworld eNewsletters.