Melbourne IT has revealed one of its overseas resellers was a victim of a “spear phishing” attack which allowed the Syrian Electronic Army to hijack the New York Times (NYT) and some Twitter websites.
A Melbourne spokesperson said staff of an overseas-based reseller “unwittingly” responded to a spear phishing attack which allowed attackers to access sensitive information, including usernames and passwords. This was used to access the reseller's account on Melbourne IT systems.
“This resulted in unauthorized changes to the DNS records of two domain names associated with providing news related to the Syrian conflict,” he said.
"Spear phishing" is a term for a concentrated phishing attack where hackers focus on individuals they have identified as having access to sites they want to hack.
The link that was used to trick staff into handing over login details was disguised as a news story. In the case of the staff at the overseas reseller, they clicked on the link and logged in using their personal emails.
This allowed hackers to access reseller staff emails using legitimate passwords and then search weblog information and see password and user information for customers including the New York Times.
Once Melbourne IT was aware of the breach it changed the affected DNS records back to their previous values, locked the affected records from any further changes at the .com domain name registry, changed the account credentials so no further changes could be made, told the recipients of the phishing email to update their passwords and temporarily suspended access to affected user accounts until passwords have been changed.
The New York Times website remained blocked until Thursday afternoon. Hackers changed the registry to show "SEA", the Syrian Electronic Army, as website owner.
The Twitter tracking site Twimg.com was also hacked with viewing of images and photos sporadically impacted.
Twitter confirmed the Twimg domain name had been offline.
“No Twitter user information was affected by this incident,” Twitter said in a statement.
A Melbourne IT spokesman said the company was working closely with the affected reseller to review additional layers of security.
“Again, we stress that for mission critical names we recommend that domain name owners take advantage of additional registry lock features available from domain name registries including .com and .com.au, as some of the domain names targeted had these lock features active and were thus not affected.”
The spokesperson also confirmed an attack on a blog, which was the result of a weakness in the WordPress platform.
The blog was replaced with the message: ““Hacked by SEA, Your servers [sic] security is very weak”, according to a Twitter post by the hacking collective which openly supports the Syrian Government.
The spokesperson said the incident was the result of a vulnerability in an old version of the software which the blog used and that it was unrelated to the credentials breach at the reseller.
“We have removed the blog site,” he said. “We are continuing to monitor our infrastructure closely and will keep our customers and partners informed of any further developments. We are cooperating with law enforcement authorities globally,” he said.
