Syrian hackers attack Melbourne IT reseller

Hackers associated with the Syrian dictator Bashir al-Assad have once again succesfully attacked Western media, this time by altering the domain name registration records for sites such as Twitter and the New York Times.

The Syrian Electronic Army also redirected the NYT website to a network in the nation.

It managed to alter domain name registration records for other organisations as well, such as the Huffington Post's US and UK websites, as first reported by former Reuters social media editor Matthew Keys.

According to the New York Times, the hackers or people purporting to be the SEA attacked domain registration company Melbourne IT to change the domain name records. As of writing, the main nytimes.com website is down.

Melbourne IT has confirmed the attack, telling iTnews it was one of its resellers that had been targeted.

"The DNS records of several domain names on that reseller account were changed - including nytimes.com," a spokesperson for Melbourne IT said.

Once Melbourne IT was notified, he said it changed the affected DNS records back to their previous values, locked the affected records from any further changes at the .com domain name registry and changed the reseller credentials so no further changes could be made.

"We are currently reviewing our logs to see if we can obtain information on the identity of the party that has used the reseller credentials, and we will share this information with the reseller and any relevant law enforcement bodies.

"We will also review additional layers of security that we can add to our reseller accounts."

For mission critical names, Melbourne IT recommended that domain name owners take advantage of additional registry lock features available from domain name registries including .com.

"Some of the domain names targeted on the reseller account had these lock features active and were thus not affected."

NYT DNS administrator David Porsche wrote on the OARC DNS operations mailing list that the media organisation's registrar updated its name server records on the root servers, pointing to "a malicious site".

"We have had reports that the malicious site that our domain was redirected to was infecting users with malware," he said.

Porsche asked other administrators to clear cached DNS entries for nytimes.com to prevent further redirections to the malicious site.

The chief information officer of The New York Times Company, Marc Frons, also issued a statement confirming the attack earlier today.

Frons warned employees to be careful sending emails until the situation is resolved.

Twitter said on its Status blog the domain name system records for its twimg.com image posting service had been modified, but these are now restored.

Twitter status blog

Twitter would only say "we're looking into this" when asked about the altered domain name registration records by iTnews. The social media provider uses Melbourne IT and Network Solutions as its main domain name registrars. 

The SEA claimed via tweets to have altered the domain name records for several other Twitter propertes, include its Arab Emirates (.ae) and UK domains.

http://t.co/IsOzwrp3cn is going down | http://t.co/9pbmn5wtAz #SEA #SyrianElectronicArmy

— SyrianElectronicArmy (@Official_SEA16) August 27, 2013

SEA has attacked several Western media sites over the past months, including the Guardian, Financial Times, BBC and Reuters. 

The group used social engineering in its past attacks, sending out authentic-looking phishing emails to employees of media organisations in order to trick them into revealing their authentication details.

Earlier this month SEA attacked the Washington Post via a third-party recommendation service, Outbrain, by using phishing emails sent to employees.