After Twitter, NY Times hacks, top Internet brands remain at risk

By late afternoon on Tuesday, Twitter started buzzing; one of the world's largest news portals was offline, and a hacking group was claiming responsibility. The Syrian Electronic Army (SEA), a pro-Assad hacking group know for their previous campaigns against media organizations, altered the DNS records for the New York Times, Twitter, and the Huffington Post. The group also targeted, a platform that enables readers to share links to content on a wide range of services, including social media, sites like Reddit, Slashdot, and more.

Twitter had the most issues to deal with, as their domain shortening service ( well as their primary domain and image hosting service ( all had their DNS records altered. The attack was possible due to a social engineering campaign launched by the SEA that targeted MelbourneIT, the registrar responsible for hosting the targeted DNS servers.

According to reports, including those from MelbourneIT themselves, the SEA spent some time on this campaign, and created a cleaver Phishing email that eventually snared an unknown reseller's username and password, which granted them access to the domain controls needed to alter DNS settings.

While this attack was bad, things could have certainly been much worse, as other large brands also use MelbourneIT for their DNS, including Yahoo, Google, Microsoft, Adobe, IKEA, and AOL. Fortunately, the account that the SEA compromised didn't share access to those domains.

"Social-engineering and most specifically Phishing is one of the largest attack surfaces we face in the security industry. Hacking through websites and breaching perimeters takes way to much time and usually not worth the effort. Sending a targeted email to a company almost guarantees you access to whatever you want and we aren't capable of handling these types of attacks right now," said Dave Kennedy, the creator of the Social Engineer Toolkit and the founder of TrustedSec, in an email to CSO.

"My question to everyone right now is that if they are targeting resellers, outside parties, and people not always in the company, but control certain aspects of an organization, where does this leave our massive exposures in the cloud?"

In the wake of the Twitter and New York Times attacks, several major brands remain at risk. The risk comes from two angles; the first is exposure to social engineering. Should an attacker gain access to the DNS controls directly, then a situation such as the one that occurred this week could certainly happen again.

The other angle is the use of a registry lock. Since details have started to emerge about how the New York Times, Twitter, and the others were attacked - thanks to disclosures from MelbourneIT, one of the defenses being touted is the practice of applying a Registry Lock flag to critical domains.

Registry locks are usually applied by the registrar and are used to prevent unauthorized or unwanted changes to a domain. Once a domain name is flagged, then the lock will prevent DNS modifications, contact modifications, transfers, and deletion. Any changes requested will require additional methods of verification outside of a username and password.

Rapid7's Chief Research Officer, HD Moore, monitored many of the Web's top brands in the aftermath of the SEA attacks. In the hours following the attacks, a number of brands had registry locks placed on their domains. As expected, Twitter locked and, but they also added a lock to and The Huffington Post, another victim of the SEA, also added a registry lock. Moreover,,,, and also added registry locks.

Among those brands lacking registry lock protection are Adobe ( and American Airlines, AOL, BB&T Bank, Australia and New Zealand Banking Group, Cisco, IBM, and 1&1 Internet (, just to name a few. There are plenty of others, including major security firms (McAfee), media (Huston Chronicle, SF Gate), as well as service portals such a PR Newswire and

In an email sent to CSO, Moore said that although did have a lock in place, at the time of the attack, many large-brand domains were hosted with MelbourneIT and were not locked.

"There is no evidence that the attackers made changes to these domains, but these were potentially vulnerable at the time the attack took place. In other words, things could have been much worse."

In a statement, MelbourneIT encouraged domain owners to use registry locks. While the protection offered isn't foolproof, it's another layer of defense.

"For mission critical names we recommend that domain name owners take advantage of additional registry lock features available from domain name registries Some of the domain names targeted on the reseller account had these lock features active and were thus not affected."

Read more about data protection in CSOonline's Data Protection section.

Join the CSO newsletter!

Error: Please check your email address.

Tags redditNew York Time hackThe New York TimesapplicationsSEATwitter attackNew York Times attackYahooGoogleMicrosofttwitter hackSyrian Electronic Armysoftwaretwitterdata protection

More about Adobe SystemsAmerican AirlinesAOLCiscoCSOGoogleIBM AustraliaMail.comMcAfee AustraliaMicrosoftMonsterMonster.comRapid7StarbucksToolkitYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Ragan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts