New York Times, Twitter domain hijackers 'came in through front door'

'Syrian Electronic Army' claims responsibility, registrar fingered as vector


Updated Hacktivist collective the Syrian Electronic Army (SEA) – or someone using its name – has claimed responsibility for hijacking the Twitter.co.uk, NYTimes.com and HuffingtonPost.co.uk web addresses.

At the time of writing, many of the domain names the SEA claimed to have seized were back under their owners' control. In some cases, only the contact details for the domains were altered.

However, the records for nytimes.com and Twitter.co.uk pointed to addresses of nameservers operated by the SEA: effectively allowing the miscreants to redirect tweeters and NYT online readers to any site of the hackers' choosing.

The internet's domain name system (DNS) works by converting human-readable addresses, such as www.theregister.com, into network IP addresses that computers use to talk to each other. By altering the DNS records, attackers can cause havoc by ushering potentially sensitive web traffic to malicious systems (which is why using HTTPS is important).

Below are the hijacked DNS records for nytimes.com and twitter.co.uk last night:

NY Times domain record


Twitter domain record

The attack actually hit an Australian domain registrar of which both Twitter and the Times were clients: Melbourne IT.

The New York Times attributed an outage last night to malicious activity; its workaround made it clear that a domain redirect was the problem since it pointed readers at its IP address to get directly to its site, sidestepping the domain-name system.

Syrian Electronic Army threat tweet

Twitter users were quick to blame the problems to domain-name registrar MelbourneIT, which is common to many of the hijacked domains. HD Moore of Metasploit Framework fame told Mashable that “if the attackers have found a weakness in the MelbourneIT system”, then other domains would also be at risk.

The New York Times also attributed the attack to MelbourneIT:

“The New York Times website was unavailable to readers on Tuesday afternoon following an attack on the company’s domain name registrar, Melbourne IT. The attack also required employees of The Times to stop sending out sensitive emails”, it has told employees.

The Register has tried to contact MelbourneIT, so far without success. ®

Updated to add

While MelbourneIT has yet to return calls from Vulture South, it has apparently told Business Insider a reseller was responsible for the hijack blunder.

Theo Hnarakis, chief executive of the web hosting biz, told Australian Broadcasting Corp radio today that hackers had modified the New York Times' domain using a partner's username and password.

"They came in through the front door," AP reported Hnarakis as saying. "If you've got a valid user name and password ... the assumption from our systems is that you are the authorised owner and user of that domain name."

Its statement is below.

The credentials of a Melbourne IT reseller (username and password) were used to access a reseller account on Melbourne IT’s systems.

The DNS records of several domain names on that reseller account were changed – including nytimes.com.

Once Melbourne IT was notified, we:

  • changed the affected DNS records back to their previous values
  • locked the affected records from any further changes at the .com domain name registry
  • changed the reseller credentials so no further changes can be made

We are currently reviewing our logs to see if we can obtain information on the identity of the party that has used the reseller credentials, and we will share this information with the reseller and any relevant law enforcement bodies.

We will also review additional layers of security that we can add to our reseller accounts.

For mission critical names we recommend that domain name owners take advantage of additional registry lock features available from domain name registries including .com – some of the domain names targeted on the reseller account had these lock features active and were thus not affected.

The Register will post further updates as required. There are more technical details about last night's DNS hijack over on the CloudFlare blog. ®

Similar topics


Other stories you might like

  • DMCA can't be used to sidestep First Amendment, court rules
    Anonymous speech protections apply online too, and copyright can't diminish that

    It's been a good week for free speech advocates as a judge ruled that copyright law cannot be used to circumvent First Amendment anonymity protections.

    The decision from the US District Court for the Northern District of California overturns a previous ruling that compelled Twitter to unmask an anonymous user accused of violating the Digital Millennium Copyright Act (DMCA). 

    The Electronic Frontier Foundation (EFF), which filed a joint amicus brief with the ACLU in support of Twitter's position, said the ruling confirms "that copyright holders issuing subpoenas under the DMCA must still meet the Constitution's test before identifying anonymous speakers." 

    Continue reading
  • SpaceX staff condemn Musk's behavior in open letter
    Well, it doesn't take a rocket scientist to see why

    A group of employees at SpaceX wrote an open letter to COO and president Gwynne Shotwell denouncing owner Elon Musk's public behavior and calling for the rocket company to "swiftly and explicitly separate itself" from his personal brand.

    The letter, which was acquired through anonymous SpaceX sources, calls Musk's recent behavior in the public sphere a source of distraction and embarrassment. Musk's tweets, the writers argue, are de facto company statements because "Elon is seen as the face of SpaceX."

    Musk's freewheeling tweets have landed him in hot water on multiple occasions – one incident even leaving him unable to tweet about Tesla without a lawyer's review and approval. 

    Continue reading
  • Musk repeats threat to end $46.5bn Twitter deal – with lawyers, not just tweets
    Right as Texas AG sticks his oar in

    Elon Musk is prepared to terminate his takeover of Twitter, reiterating his claim that the social media biz is covering up the number of spam and fake bot accounts on the site, lawyers representing the Tesla CEO said on Monday.

    Musk offered to acquire Twitter for $54.20 per share in an all-cash deal worth over $44 billion in April. Twitter's board members resisted his attempt to take the company private but eventually accepted the deal. Musk then sold $8.4 billion worth of his Tesla shares, secured another $7.14 billion from investors to try and collect the $21 billion he promised to front himself. Tesla's stock price has been falling since this saga began while Twitter shares gained and then tailed downward.

    Morgan Stanley, Bank of America, Barclays, and others promised to loan the remaining $25.5 billion from via debt financing. The takeover appeared imminent as rumors swirled over how Musk wanted to make Twitter profitable and take it public again in a future IPO. But the tech billionaire got cold feet and started backing away from the deal last month, claiming it couldn't go forward unless Twitter proved fake accounts make up less than five per cent of all users – a stat Twitter claimed and Musk believes is higher.

    Continue reading

Biting the hand that feeds IT © 1998–2022