At this point you've probably heard about the Syrian Electronic Army (SEA) compromising the websites for The New York Times, Twitter, and Huffington Post U.K.
Lesser known, though, is that potential New York Times readers found themselves redirected to a site laced with malware.
[The SEA was] then able to change the records so that rather than pointing to nytimes.com, for example, the Times’ name servers pointed to a domain controlled by the attackers. Officials at CloudFlare, a cloud hosting provider that was involved in the effort to counter the attack, said that the domain to which visitors were redirected was serving malware.
Threatpost — a cybersecurity website — noted that Tech company Cloudflare ended up helping the New York Times sort out the mess, which started when MelbourneIT, the registrar the Times, was compromised.
Matthew Prince, CEO of CloudFlare, wrote in an analysis of the attack and its aftermath. In it, he describes how tech professionals recognized the malware-laden redirect site and revoked the domain, stemming the tide of exposed users.
From Cloudflare:
Since the cache [Time To Live] on the domain was relatively short, shortly after the domain was revoked traffic largely stopped flowing to the malware infected sites.
And here's Prince's brief explanation on"cleaning up the mess:"
At the registry, Verisign rolled back changes to the name servers and added a so-called registry lock to NYTimes.com. This prevented further changes even if initiated by the registrar. While quick action by OpenDNS and Google limited the impact on their customers, web surfers using other recursive DNS providers continued to be served hacked results. Unfortunately, because recursive DNS servers cache results for a period of time, even after the records were corrected, many name servers were still pointing to the incorrect locations for affected domains.
The registrar of the primary domain the Syrian Electronic Army was using as a name server for the domains they hacked revoked the domain's registration this afternoon. Since the cache TTL on the domain was relatively short, shortly after the domain was revoked traffic largely stopped flowing to the malware infected sites. That did not mean all hacked sites came back online. In some places, DNS recursors continue to have the cached bad records. They will expire over the next 24 hours and traffic to sites will return to normal.
The latest New York Times attack is one in a long string of media-related hacks on behalf of the SEA. Consequently, the SEA has vowed more attacks following any American attack on Syria.
And as if to characterize their prowess, Prince notes that the Times' registrar MelbourneIT is not the easiest target.
"This was a very spooky attack," Prince writes, "MelbourneIT is known for having higher security than most registrars. We are hopeful that they will post the details of the attack as they are discovered so organizations can understand the threat and how to better protect themselves."