On Tuesday August 27, The New York Times was taken down in a simple account takeover attack which was more intelligent and planned than it was technically savvy.
In this targeted account takeover attempt, the perpetrators focused their efforts on the DNS records of the New York Times. DNS is the system which allows users to type a friendly version of a web address in words, the Domain Name System converts this to the IP address in order to route the traffic to the website’s hosting server.
The holder of a DNS record is publicly available through a Who Is search.
New York Times Public DNS Record, available by a Who Is search
Once the attackers knew that the web address, NewYorkTimes.com was hosted by Melbourne IT, they had the target for their attack.
It has been announced by Melbourne IT’s CTO, Bruce Tonkin that a third party distributors account was breached, allowing the attackers to edit the DNS records for New York Times, redirecting the web traffic from that address, to a whole different website. It is likely that it was only a single user’s account details which were stolen, probably through a targeted phishing attack. This allows the attackers to login just like the real user, undetected.
Increasingly we are seeing highly destructive attacks which cause extraordinary levels of brand damage, emanating from a very simple point of failure: the user and their password.
Bruce Tonkin revealed that they discovered suspicious traffic coming from India in the company’s server logs. What this tells us is that the company have some of the tools to spot fraud in a backwards looking sense but not in real-time. The most security conscious firms are already adopting real-time behaviour analytics such as NuDetect to protect against account takeover fraud.