The Syrian Electronic Army (SEA) -- a pro-Assad hacking group -- is making misery for some of the biggest entities on the Internet.
The SEA's activities have attracted plenty of media attention this week. Users couldn't access many high-profile websites Tuesday after SEA launched a targeted phishing attack against a reseller for Melbourne IT, an Australian domain registrar and IT services company. According to the IDG News Service, the attack allowed hackers to change the DNS records for several domain names including nytimes.com, sharethis.com, huffingtonpost.co.uk, twitter.co.uk and twimg.com -- a domain owned by Twitter.
"This resulted in traffic to those websites being temporarily redirected to a server under the attackers' control," the news service reported. "Hackers also made changes to the registration information for some of the targeted domains, including Twitter.com. However, Twitter.com itself was not impacted by the DNS hijacking attack."
Akamai InfoSec's CSIRT team has been monitoring the attacks. From our perspective, recent events illustrate the need for better DNS security and better awareness of spear phishing, a favorite tactic of the SEA.
Michael Kun, a security response engineer on Akamai InfoSec's CSIRT team, told me companies should be getting more serious about registry locks so the bad guys can't tamper with DNS servers.
Domain owners can and should ask their registrars to put the registry locks in place -- something Melbourne IT did for nytimes.com and the other sites. The lock is deployed at the registry level -- with companies that administer such domain extensions as .net, .org and .com.
Kun said companies should also seek out registrars that require two-factor authentication and pressure other registrars to support two-factor authentication as well.
"Unfortunately, the problem is really with the registrars, so there's not much that customers can do directly except to vote with their dollars," Kun said.