November 24, 2014

New York Times Hacked Via Crafty Phishing Attack

new york times

It was another reminder of the vulnerability of businesses that conduct all or some of their activities online.

Both the New York Times and Twitter were hacked yesterday.  Or, at least, their domain names were “hacked” — i.e., hijacked for a time.

The two companies essentially had their domain names rerouted to different servers.  In the case of the New York Times, it was the entire NYTimes.com web URL that was affected.  In the case of Twitter, it was only the domains for the images hosted on Twitter.

A group claiming to be loyal to Syrian president Bashar al-Assad claimed responsibility in a series of messages on Twitter.

The group, calling itself the Syrian Electronic Army (SEA), also claimed to have hacked the Huffington Post, but that site does not appear to have been affected.

How The Hackers Did It: A Phishing Email

The SEA hacking attack was relatively low-tech (as such things go). It started with a phishing email.

The email enticed an employee of a reseller of Melbourne IT in Australia to give up login credentials. Melbourne IT provides online DNS services for The New York Times website, Twitter and many other clients.

Typically, a phishing email tries to get unsuspecting recipients to click on a link taking them to a fake page that may look exactly like a legitimate site. Upon logging in, the login credentials are captured.

Once the SEA had the login credentials, they were able to gain access to the DNS records for the New York Times website. They then changed the records to point to a different server. When visitors went to the NYTimes.com site, they saw a screen with an SEA insignia.

That’s because the DNS information was directing Internet traffic to go to the substituted server location for information, not to the New York Times’ Web servers. Writes The Next Web, “DNS is akin to a ‘phone book for the Internet’ and is responsible for taking you to the website that you want to visit.”

Although Melbourne IT changed the DNS information back promptly after the intrusion was discovered, the effects lingered. The reason:  it can take up to 24 hours for your ISP’s caches to be cleared of information.

Almost a full day later, some people (including here at the Small Business Trends offices) were still not able to access the New York Times website. Up until nearly noon Eastern time today, New York Times Vice President of Communications, Eileen Murphy, was still responding to inquiries on Twitter from readers who said they could not access the site.

The DNS tampering also affected Twitter to a lesser degree. The SEA managed to access the DNS records for where Twitter images are hosted (although not the main Twitter servers). Twitter issued an official status update saying “Viewing of images and photos was sporadically impacted.”

2 Lessons You Can Take Away:

1 ) Train employees to spot and avoid phishing emails.

Be wary of unexpected emails that seem to come out of the blue prompting logins. Look closely at the URL for any page you are directed to. Sometimes the pages look perfect, and only the URL is a giveaway that it’s a phishing site.  Make sure employees are trained to watch out.

2) Secure the Logins for Your Domain Name Accounts

Small businesses typically have their domain name registrar manage their DNS. If someone gains access to your domain name account, they may be able to tamper with where your website traffic is pointed to. While domain registrars usually require multi-step security for transferring a domain name, that may not be the case for changing DNS settings.  Protect login credentials carefully.

New York Times Building Photo via Shutterstock

11 Comments ▼

11 Reactions

  1. I have cleared all my history, including caches, and still no NY Times! It is 3PM Wednesday here in Prince Of Wales, AK.

  2. Great reporting!

    You wrote, “Although Melbourne IT changed the DNS information back promptly after the intrusion was discovered, the effects lingered. The reason: it can take up to 24 hours for your ISP’s caches to be cleared of information.”

    Why?

    Maybe a wise-techie from the Small Business Trends community can answer that question.

    It’s only the beginning, you know.

    Cyber-wars.

    The Franchise King®

    • Hi Joel, Someone more technical than I am could explain it, but for now I will point to this quote by Cory Von Wallenstein, the CTO of Dyn, who explained the attack for The Next Web:

      “For the affected sites, the attackers gained access to the domain registration accounts that were operated by Melbourne IT, and changed the authoritative DNS servers to [deleted server name] and [deleted server name]. What makes this attack so dangerous is what’s called the TTL… or time to live. Changes of this nature are globally cached on recursive DNS servers for typically 86,400 seconds, or a full day. Unless operators are able to purge caches, it can take an entire day (sometimes longer) for the effects to be reversed.”

      So in my low tech parlance… it was the traffic signals way up at the Internet traffic level controlling everything. All of the entities there will have to clear their caches (not your browser cache, but theirs) before everything gets back to normal.

      – Anita

      • WOW.

        That’s unreal.

        Who thought of this stuff? DNS. TTL. Cached?

        Thanks for clearing things up.

        Now, I need some quiet time. (As I re-read what you’ve quoted 7 more times.)

        The Franchise King®

  3. I also get crafty phishing emails to release banking details and paypal passwords, but always ignore them. Don’t reply them telling them to get lost but the best action is just to ignore them.

  4. The key is knowing how to spot the phishing email. I almost got fooled by one who only has an extension like paypal.com.sg and other things that are similar. It may be best to not let your employees handle your website’s details.

  5. It’s crazy that something as silly as a phishing email was able to throw off NYT for this long. Phishing emails are pretty easy to avoid – it’s just silly that it would work. I wonder how much money this cost NYT.

  6. Wow! A phishing email took down the entire NYTimes website. Shows that your website security is only as strong as the weakest link (which is probably a person).

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>



Compare your business to the industry - Try our new tool


X