The Syrian Electronic Army, a group known for attacking high-profile media sites in the last year or so, has in the last few hours compromised the domain information for a large number of sites, including the New York Times home page and some of Twitter’s domains. Security researchers say that the most likely attack vector was the domain registrar used by the companies.
Both the Times and Twitter, as well as a long list of other companies including Google and Yahoo, use a company called Melbourne IT as a domain registrar. Researchers following the attack say that the WHOIS and domain information for the Times and Twitter domains was changing back and forth between legitimate data and the hacked SEA data for much of the last few hours. The Times home page was offline sporadically Tuesday afternoon and the paper reported that the company’s CIO told employees to be cautious sending email “until this situation is resolved”.
The SEA’s attack enabled the group to redirect visitors to the affected sites to a server controlled by the attackers. Researchers say that the attackers also could have the ability to redirect email, Web and other traffic from the compromised sites.
“All three domains use MelbourneIT as their domain registrar. Once access to the registrar is obtained, the SEA can redirect all DNS, email, and web traffic going to these sites to a server of their choosing,” said HD Moore, chief research officer at Rapid7.
Around 5 pm EDT Tuesday the SEA tweeted a picture of a WHOIS record showing the compromised data. About 90 minutes later they tweeted a picture of a number of Twitter’s domain names in what appeared to be a registrar’s back end. The tweet’s text said, “Twitter, are you ready?”
The domains compromised by the SEA included a pair of domains used by Twitter to host images. Here’s what the WHOIS data for twitter.com looked like during the attack:
Admin Name……….. SEA SEA
Admin Address…….. 1355 Market Street
Admin Address…….. Suite 900
Admin Address. San Francisco
Admin Address…….. 94103
Admin Address…….. CA
Admin Address…….. UNITED STATES
Admin Email………. email@example.com
Admin Phone………. +1.4152229670
Admin Fax………… +1.4152220922
The data for the Times and the other compromised Twitter domains was similar. Jaime Blasco at AlienVault Labs has a long list of the domains that have been pointing to the SEA’s server during the attack. It’s not clear how the registrar may have been compromised.
In addition to Tuesday’s attacks, the SEA also has claimed responsibility for recent attacks on the Washington Post, The Onion, the Associated Press and other media companies.
Image from Flickr photos of Alexander Torrenegra.