Breach, Data Security, Incident Response, TDR, Threat Management, Vulnerability Management

Phishing email grants hackers access to DNS records of major websites

A phishing attack, one of the most common and oldest cyber tricks in the book, enabled hackers to hijack and modify the DNS records for several domains on Tuesday, including The New York Times, Twitter and the Huffington Post U.K. on Tuesday.

Representatives of the impacted entities have said their systems now are operating normally, and there are no lingering or long-term effects. In fact, the companies were not even the ones targeted by the attackers, who claimed to be the Syrian Electronic Army, a band of pro-Assad hacktivists responsible for a number of IT takedowns in recent months.

The intruders responsible for Tuesday's incidents actually compromised a reseller account that had access to the IT systems of Australian registrar, Melbourne IT. An employee for one of the resellers responded to a spear phishing attack, which allowed the hackers to steal their account login credentials.

Bruce Tonkin, chief technology officer with Melbourne IT, told on Wednesday that he would not reveal the identity of the reseller or the details of the phishing email, but he admitted to being surprised by how authentic the email appeared and explained that he “could see how people could be caught by it,” even “people in the IT industry.”

The New York Times website was defaced and experienced sporadic downtime, while several images hosted on Twitter would not display correctly and all the while the pro-Assad hacker collective took to its Twitter account to post messages about the attacks and images of Whois records displaying registry alterations.

When Melbourne IT received word of the incident, technicians were up bright and early in Australia to change the target reseller's credentials to prevent further changes, change affected DNS records back to previous values and lock affected records from further changes at the .com domain name registry, said Tony Smith, a spokesman for Melbourne IT.

“We are currently reviewing our logs to see if we can obtain information on the identity of the party that has used the reseller credentials, and we will share this information with the reseller and any relevant law enforcement body,” he said.

Tonkin said that the incident should reinforce the application of domain locking functionality known commonly as a registry lock.

A registry lock is a status code applied to a web domain name that is designed to prevent incidental or unauthorized changes, including modifications, transfers or deletion of domain names and alterations to domain contacts details, without first authenticating to the top-level domain operator. For .com domains, that's VeriSign.

Registry locks are what protected during the attack. The same could not be said for its image hosting server,, which did not have the added protection – hence why images on Twitter were not displaying properly throughout the incident.

HD Moore, chief research officer at vulnerability management company Rapid7 and chief architect of the Metasploit framework, stressed the importance of registry locks.

Moore explained in a Wednesday email that several entities have added the protection to their websites in the wake of the incident, including Huffington Post, Starbucks and Vine, and pointed to a few other big names that were not protected at the time of the incident, including AOL, Barnes & Noble and IBM.

In a blog post that explained the relationship among registries, registrars and DNS providers, Matthew Prince, co-founder and CEO of web security and performance company CloudFlare, agreed about the importance of registry locks.

"Registrars generally do not make it easy to request registry locks because they make processes like automatic renewals more difficult," he wrote. "However, if you have a domain that may be at risk, you should insist that your registrar put a registry lock in place."

Meanwhile, experts said that while the attack was simple in nature, it was creative.

Ken Westin, a  researcher with security software company Tripwire, said he believes “[m]edia attacks seem to be escalating and moving away from annoying, simple denial-of-service attacks and toward full domain compromise."

CloudLock Enterprise Solutions Architect Kevin O'Brien was able to look at the bright side of things, saying, “If there is any consolation to be had, it is that this is an incredibly unsophisticated form of attack” and adding that it can be addressed through training.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.