How do you take some of the world’s largest online brands offline in a matter of minutes? If yesterday’s events are any guide, you do it by finding a gullible employee at vulnerable, downstream partner that those companies didn’t even know they had.
That’s the lesson that appears to be emerging in the aftermath of yesterday’s chaotic tug of war between hackers who claim affiliation with The Syrian Electronic Army and some of the world’s leading online brands, including The New York Times, Twitter and Huffingtonpost.com. The attacks on Tuesday saw traffic to sites owned by those firms directed to web servers controlled by the attackers which displayed messages in support of the regime of embattled President Bashar al-Assad.
According to a story in The New York Times, the attackers were able to compromise systems operated by Melbourne IT, an Australian domain registrar used by many prominent firms. With access to that company’s systems, the attackers changed the domain registry information used by the Times and others.
Melbourne IT denied that its systems were compromised in the attack. Instead, employees at a U.S. based reseller of Melbourne IT services, identified in an article in the publication Financial Review as Corporation Services Company, was tricked into divulging “personal details” that allowed the SEA hackers to recover login information that gave them access to Melbourne IT’s systems.
Theo Hranakis, the CEO of Melbourne IT, defended his company against charges that it dropped the ball on security. “This is something that could happen to any company and any staff member,” Mr Hnarakis told the Financial Review. “This is not a breakdown of security, this is not a weakness of our systems where someone’s been able to hack in and grab customer information or credit card information.”
The impact of the attack was considerable. The hackers changed the records of nine separate websites in the early morning hours of Wednesday (Australia time) – midday Tuesday in the U.S. Information provided by Rapid7 shows the administrative contact information stored in WHOIS records for Twitter.com, NYT.com and TWImg.com (Twitter’s image hosting service) changed to read “SEA SEA” and “Syrian Arab Republic.”
Social engineering attacks, which rely on fooling human beings in position of trust and authority, are common to many sophisticated attacks, as they don’t require any technical knowledge, or familiarity with the systems in question – just a convincing ruse. The practice is so common that hacking conferences like DEFCON have added social engineering contests in recent years to highlight the finer points of the art, and to draw attention to the threat it poses to organizations of all sizes.