A phishing email allowed hackers to orchestrate a DNS attack against major media websites last week. Now, experts are calling on domain owners to request registry locks from their providers.
The phishing attack, which is one of the most common and oldest cyber tricks in the book, enabled hackers to hijack and modify the DNS records for several domains on Tuesday, including The New York Times, Twitter and the Huffington Post UK on Tuesday.
Representatives of the impacted entities said their systems now are operating normally, and there are no lingering or long-term effects.
In fact, the companies were not even the ones targeted by the attackers, who claimed to be the Syrian Electronic Army, a band of pro-Assad hacktivists responsible for a number of IT takedowns in recent months.
The intruders responsible compromised a reseller account that had access to the IT systems of Australian registrar, Melbourne IT. An employee for one of the resellers responded to a spear phishing attack, which allowed the hackers to steal their account login credentials.
Bruce Tonkin, chief technology officer with Melbourne IT, said last week that he would not reveal the identity of the reseller or the details of the phishing email, but he admitted to being surprised by how authentic the email appeared and explained that he “could see how people could be caught by it,” even "people in the IT industry".
The New York Times website was defaced and experienced sporadic downtime, while several images hosted on Twitter would not display correctly and all the while the pro-Assad hacker collective took to its Twitter account to post messages about the attacks and images of Whois records displaying registry alterations.
When Melbourne IT received word of the incident, technicians were up bright and early in Australia to change the target reseller's credentials to prevent further changes, change affected DNS records back to previous values and lock affected records from further changes at the .com domain name registry, said Tony Smith, a spokesman for Melbourne IT.
“We are currently reviewing our logs to see if we can obtain information on the identity of the party that has used the reseller credentials, and we will share this information with the reseller and any relevant law enforcement body,” he said.
Tonkin said that the incident should reinforce the application of domain locking functionality known commonly as a registry lock.
A registry lock is a status code applied to a web domain name that is designed to prevent incidental or unauthorised changes, including modifications, transfers or deletion of domain names and alterations to domain contacts details, without first authenticating to the top-level domain operator. For .com domains, that's VeriSign.
Registry locks are what protected Twitter.com during the attack. The same could not be said for its image hosting server, twimg.com, which did not have the added protection – hence why images on Twitter were not displaying properly throughout the incident.