Syrian hackers phished Melbourne IT reseller credentials

Melbourne IT believes alleged Syrian hackers used social engineering and deceptive emails to gain administrative access to a resller account to facilitate yesterday's attack on Western media sites.

Chief technology officer Bruce Tonkin told iTnews that the company had identified a targeted phishing attack used to gain access to the credentials of users of a reseller account.  

"We have obtained a copy of the phishing email and have notified the recipients of the phishing email to update their passwords," Tonkin said. 

"Furthermore, we have also temporarily suspended access to affected user accounts until passwords have been changed," he added.

The scope of the attack was limited to three organisations and five domains, according to Melbourne IT.

"We also understand that at least of one the organisations [affected] was targeted through other registrars," Tonkin said.

One of the domains was on registry lock and the attackers could not change the domain name system (DNS) server records.

However, Tonkin said the attackers were able to change the name of the administrative contact for the domain.

Two of the affected domain names in the .com registry have now been locked as well.

Yesterday's attack is thought to have been conducted by the pro-government Syrian Electronic Army (SEA), which emerged in 2011 and has successfully hacked several Western media organisations including the BBC, Financial Times, Reuters and Washington Post.

The New York Times' website was redirected by the SEA to a network in Russia, and according to reports, attempted to plant malware on visitors' computers.

This isn't the first time systems at Melbourne IT has been compromised by so-called hacktivists.

In July last year, hacker collective Anonymous raided the AAPT data hosted by Melbourne IT, exploiting a well-known vulnerability in the Adobe Cold Fusion application framework.