Matt Posted August 28, 2013 Report Posted August 28, 2013 Cracker collective the Syrian Electronic Army – or someone using its name – has claimed responsibility for domain-hijacking Twitter.co.uk, nytimes.com and huffingtonpost.co.uk.At the time of writing, many of the domains the SEA claimed to have hijacked were back under their owners' control. In some cases, only the contact records for domains were altered. However, nytimes.com currently returns the SEA as its nameserver.The New York Times has attributed an outage last Tuesday to malicious activity, and while it didn't nominate the SEA, its workaround made it clear that a domain redirect was the problem, since it pointed readers at its IP address to get to its site.So far, the SEA's threat against the Huffington Post doesn't seem to have eventuatedTwitter users are attributing the problems to registrar MelbourneIT, which is common to many of the hijacked domains. HD Moore of Metasploit Framework fame has told Mashable that “if the attackers have found a weakness in the MelbourneIT system”, then other domains would also be at risk.The New York Times also attributes the attack to MelbourneIT:“The New York Times Web site was unavailable to readers on Tuesday afternoon following an attack on the company’s domain name registrar, Melbourne IT. The attack also required employees of The Times to stop sending out sensitive e-mails”, it has told employees.The Register has tried to contact MelbourneIT, so far without success. ®Update: While MelbourneIT has yet to return calls from Vulture South, it has apparently told Business Insider a reseller was responsible for the hijacked domains. Its statement is below.The credentials of a Melbourne IT reseller (username and password) were used to access a reseller account on Melbourne IT’s systems.The DNS records of several domain names on that reseller account were changed – including nytimes.com.Once Melbourne IT was notified, we:- changed the affected DNS records back to their previous values- locked the affected records from any further changes at the .com domain name registry- changed the reseller credentials so no further changes can be made- We are currently reviewing our logs to see if we can obtain information on the identity of the party that has used the reseller credentials, and we will share this information with the reseller and any relevant law enforcement bodies.We will also review additional layers of security that we can add to our reseller accounts.For mission critical names we recommend that domain name owners take advantage of additional registry lock features available from domain name registries including .com – some of the domain names targeted on the reseller account had these lock features active and were thus not affected.Source TheRegister.Co.Uk Quote
