Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Spear phishing led to DNS attack against the New York Times, others

Lucian Constantin | Aug. 29, 2013
Hackers managed to compromise the login credentials for a Melbourne IT domain reseller responsible for the affected domains.

DNS hijacking attacks can affect users beyond just preventing them from accessing a website, because they also allow attackers to redirect users to malicious content. According to Matthew Prince, CEO of CloudFlare, a company that provides website optimization and security services, this actually happened during this particular attack.

"Technical teams from CloudFlare, OpenDNS and Google jumped on a conference call and discovered what appeared to be malware on the site to which the NYTimes.com site was redirected," Prince said Tuesday in a blog post.

"The registrar of the primary domain the Syrian Electronic Army was using as a name server for the domains they hacked revoked the domain's registration this afternoon," he said. "Since the cache TTL on the domain was relatively short, shortly after the domain was revoked traffic largely stopped flowing to the malware infected sites."

Prince and CloudFlare did not immediately respond to an inquiry seeking more information about the type of malware that had been served during the attack.

In order to prevent rogue modification of DNS records, domain owners can ask their registrars to put registry locks in place for their domains, like Melbourne IT did for nytimes.com and the other affected websites. This lock is placed at the registry level, meaning with those companies that administer the .com, .net, .org, and other domain extensions.

"Registrars generally do not make it easy to request registry locks because they make processes like automatic renewals more difficult," Prince said. "However, if you have a domain that may be at risk, you should insist that your registrar put a registry lock in place. It's worth noting that while some of Twitter's utility domains were redirected, Twitter.com was not -- and Twitter.com has a registry lock in place."

SEA claimed Wednesday on Twitter that they hacked Melbourne IT's blog site. A message left on the site read "Hacked by SEA, Your servers security is very weak," suggesting that the hacker group might still have some level of access to Melbourne IT's systems.

 

Previous Page  1  2 

Sign up for Computerworld eNewsletters.