Incident Response, TDR

Locking your website

If the recent exploits of the Syrian Electronic Army (SEA) have taught web domain owners anything, it is to use a registry lock.

The band of hacktivists – who support Syrian President Bashar al-Assad – have been gaining notoriety for hacking and defacing major media websites and social media accounts. In fact, in August the group made it to the FBI's wanted list. 

The collective has become well known in cyber circles for accessing portals by obtaining valid credentials through the use of spear phishing – a phishing attack variation that targets specific individuals.

During one initially confusing late afternoon in August, the SEA took credit for hijacking and modifying websites belonging to The New York Times, Twitter and the Huffington Post U.K., hastily leading several experts to reconsider the attack methods used by the hacktivists.

The reconsideration was short-lived, however. Some observers, such as HD Moore, chief research officer at vulnerability management company Rapid7 and chief architect of the Metasploit Framework, quickly saw the common thread tying together the affected websites: Melbourne IT, an Australian domain name registrar. 

Moore also saw the missing thread that allowed the websites to be affected: registry locks, or a lack thereof.

A registry lock is a status code applied to a web domain name that is designed to prevent incidental or unauthorized changes – including modifications, transfers or deletion of domain names and alterations to domain contacts details – without first authenticating to the top-level domain operator.

Registry locks are what protected during the attack, but not its image-hosting server,, which did not have the added protection – thus explaining why images on Twitter were not displaying properly throughout the incident.

Bruce Tonkin, chief technology officer with Melbourne IT, confirmed the SEA was able to access the compromised websites after an employee at the firm responded to a “surprising” and “authentic looking” spear phishing email.

Following the incident, Tonkin confirmed that dozens of domains registered with his company had put locks in place – including AOL, Starbucks, Cosmopolitan, Toshiba and Barnes & Noble – but added that more need to add the security feature in order for it to become an industry standard.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.