It's every chief technical officer's worst nightmare. When Bruce Tonkin, CTO for the world's sixth largest domain registrar, Melbourne IT, woke in Melbourne on Wednesday, August 29, to learn some of his biggest clients, including the New York Times and Twitter, had been hacked, it was not a good start to the day. And a US-based reseller was responsible.
Staff of the un-named reseller "unwittingly" responded to a spear phishing attack which allowed attackers to access sensitive information, including usernames and passwords. This was used to access the reseller's account on Melbourne IT systems.
As a result, the global media were banging down Melbourne IT's door. "It's the worst nightmare when I hear that there has been a security breach, but it's an even bigger nightmare for the CIO of the company that has been breached," Tonkin said. "I feel for the customers more than anything else. The CIO would have been frantic. They were probably looking for someone who had accessed their website."
The New York Times and Twitter had been the victims of an elaborate spear phishing attack from pro-Assad regime "hacktivists", The Syrian Electronic Army.
Spear phishing is a term for a targeted phishing-attack where hackers zero-in on individuals they have identified as having access to sites they want to infiltrate.
In this case, they spoofed the email address of somebody who was familiar to the reseller's staff, and sent out an email with a link to what looked like a news story.
Staff then "unwittingly" entered log in details.
Tonkin said he was made aware of the breach through a US reseller partner. "The reseller said a change had been made to the DNS record and that they were having trouble changing it back," Tonkin said. "It was flip-flopping. We saw it was modified and moved it into a registry lock. It took an hour or two to analyse what was happening and we identified a spear phishing email.
"We are now going to make a couple of changes on the security side, but the big thing is educating our staff to be very aware of spear phishing types of emails."
Tonkin said commonly targeted websites, such as big IT companies, banks and government, were already on permanent registry lock. This is effectively puts the domain in manual mode and requires staff to make changes. It also costs more.
"The issue is if names were on registry lock the changes would not have been made," he said. "Unfortunately, it's often when people are attacked that they take up higher security."
For the Australian ICT chain the message is stark: It could happen to you, and to your customers - big or small.
Sign up for CIO Asia eNewsletters.