Syrian Hackers Subvert Ad NetworkDomain Registrar Hack Blocks Sites, Serves SEA Boast
The website outages and defacements reportedly affected more than 80 sites, ranging from the Betty Crocker, Dell and Ferrari to National Geographic, the U.S. National Hockey League, and Verizon Wireless. But a number of media outlets also confirmed that their sites had been disrupted, including New York Daily News, the Canadian Broadcasting Network, CNBC, and the UK's Daily Telegraph, Evening Standard and Independent, among other sites around the world.
A Twitter account that appears to be operated by the SEA - and which in the past has been a reliable source of information about the group - later claimed credit for the Nov. 27 attacks. "Happy thanks giving, hope you didn't miss us! The press: Please don't pretend #ISIS are civilians. #SEA," it said, in apparent reference to the Islamic State of Iraq and the Levant. The account also released a picture of what appeared to be the GoDaddy control panel for Gigya.com.
After the SEA's hacking message began appearing on websites - but only sporadically, and in some geographies - and before the SEA's hacking claim appeared on Twitter - information security experts had already traced the attack to Gigya, which is an advertising network that was being used by all of the sites.
GoDaddy tells Information Security Media Group that the attacker appears to have first compromised the Gigya email account that was registered with GoDaddy. "The attacker then used our standard password reset process to gain GoDaddy account access and made DNS changes," says GoDaddy chief information security officer Todd Redfoot. "We have since assisted the customer in regaining account access and reversing the DNS changes."
Salyer says the attack was detected at 6:45 a.m. Eastern Time, and the company's "whois" record was fixed by 7:40 a.m. Eastern Time. But given the nature of DNS servers - changes often take time to propagate - the fix didn't immediately take effect. "Gigya has the highest levels of security around our service and user data. We have put additional measures in place to protect against this type of attack in the future," Salyer says.
The company didn't immediately respond to a request for comment about what those information security improvements might be. But multiple information security experts have suggested that the company was likely failing to employ two-factor authentication to restrict access to its GoDaddy account, which is a feature that the domain registrar offers. Using two-factor authentication would have made it much more difficult for attackers to access Gigya's GoDaddy account and alter its DNS settings.
This is far from the first attack that's been tied to the SEA, which is a hacking collective that backs - and may be sponsored by - President Bashar al-Assad of Syria. Since early in 2011, Syria has been fighting a bloody civil war in which nearly 200,000 people have reportedly been killed and millions left homeless. The SEA has previously hacked a number of websites and Twitter accounts, often focusing on news outlets - ranging from the BBC and National Public Radio to Reuters and mock news site the Onion - to protest coverage of Assad that it finds unfavorable.
The group's best-known attack to date was arguably its April 2013 hack of the Twitter feed for the Associated Press, and its issuing the following fake post: "Breaking: Two Explosions in the White House and Barack Obama is injured." That tweet, which was quickly recanted by the AP, caused the Dow Jones Industrial Average to plunge 145 points, temporarily erasing $200 billion in value.
SEA Regularly Targets DNS
Gigya isn't the first organization that had its DNS settings forcibly altered by the SEA. In 2013, the group launched a similar attack against both Twitter and The New York Times. While Twitter quickly recovered, the Times website remained unreachable - from some parts of the world - for more than 48 hours following the attack.
"Sadly, attacks of this nature are commonplace, and SEA has chosen the holidays in previous years to step up its activities - so be prepared with your response plan and recovery procedures," says Russ McRee, director of threat intelligence and engineering at Microsoft, in a blog post for the SANS Institute's Internet Storm Center.