The attack had the potential to be huge.
On Tuesday the Syrian Electronic Army (SEA) took credit for a number of website outages that affected The New York Times, the Huffington Post and even Twitter. The hacker group is known for attacking media organizations that it considers hostile to the regime of Syrian president Bashar al-Assad, and just recently assaulted sites belonging to CNN, Time and the Washington Post.
The NYTimes.com website was reportedly the only one in the group on Tuesday that suffered an hour-long outage. Visitors were reportedly redirected to a server owned by the hacking group before the DNS issue was corrected. The Huffington Post attack was limited to the site's U.K. web address, and Twitter said the attack merely caused partial availability issues for an hour and a half – no user information was obtained.
"Our DNS registrar experienced an issue in which it appears DNS records for various organizations were modified, including one of Twitter’s domains used for image serving, twimg.com," Twitter stated on Tuesday. "Viewing of images and photos was sporadically impacted."
The SEA group reportedly managed to disrupt the service of these three websites by penetrating Australian internet service provider MelbourneIT, which sells and manages domain names including Twitter.com and NYTimes.com. The ISP said two staff members at one of its resellers opened a fake email seeking login details, thus causing the account hacking.
According to the report, one of the reseller staff members was the direct manager of the NYTimes domain, along with other media companies, and had account login credentials stashed away in his email account. Once the fake email was opened and its package unleashed (presumably malware), the hackers took the acquired credentials, logged in to the MelbourneIT account, and changed the DNS settings to direct the NYTimes website to the SEA-owned server.
The ISP confirmed that other media companies were attacked as well, but the attempts were unsuccessful due to domain registry locks. MelbourneIT said it restored the correct domain name settings and changed the login credentials on the main compromised account. MelbourneIT also controls a number of highly-visited web domains including Microsoft.com and Yahoo.com, meaning the attack could have been a lot worse.
"This could've been one of the biggest attacks we've ever seen, if they were more subtle and more efficient about it," said HD Moore, the chief research officer at Rapid7, a cyber security firm. "They changed just a few sites, but if they had actually gone all out, they could've had most of the Internet watching them run the show."
The attacks are believed in retaliation against the Obama administration as Washington considers taking action against the Syrian government, which has been locked in a bloody battle with rebels for more than two years.
- A Smartphone Kill Switch Won't Prevent its Theft
- Malware XPocalypse Looms for Windows XP Users
- 8 Tools to Watch Your Home Remotely