August 29, 2013, 9:37 AM — As you probably are aware, earlier this week the New York Times Web site got hacked. Actually, that's not quite accurate. It was the New York Times' domain registrar, IT Melbourne, that got hacked. Wait, sorry, that's not quite right either. It wasn't IT Melbourne but one of its domain resellers that got hacked. And they got fooled by one of the oldest tricks in the book.
The phishing email.
The attack allegedly carried out by the Syrian Electronic Army started with the simplest and most effective hacking trick known to geekdom: social engineering.
The U.S.-based sales partner’s credentials ended up in the hackers’ hands after a targeted phishing attack was directed at the firm’s staff, Melbourne IT Chief Technology Officer Bruce Tonkin said early Wednesday. Essentially, several people at the U.S. firm were duped by emails that coaxed them into giving up log-in credentials.
It appears that gaining access to the reseller's account gave the attackers access to the domain control panel at IT Melbourne, which allowed them to change the DNS settings for many sites, including some belonging to the New York Times, Huffington Post, and Twitter. Changing those settings meant that anyone who typed www.nytimes.com into their browser was redirected to a site that distributed malware. It's like someone programming your phone so that when you dial your home number you end up calling a $4 a minute psychic hotline.
The attack was both sophisticated – going through a registrar sales partner to attack a major media site takes some careful planning – and ridiculously simple (“click on this, you dolt”).
The first phishing attacks appeared in the mid 1990s. There have been probably a few trillion since then. So you'd think people would be well aware of them by now. But you'd be wrong.
This is much more common than you might think. Up to 30 percent of users will click on a link in email regardless of how unsafe it may be, notes Stu Sjouwerman, founder of KnowBe4, which trains its clients how to recognize phishing attacks.
Attackers may send spam that looks like it came from corporate email address, luring employees to a fake site where they give up their log-in credentials. Often it's the CEO or CFO who gets snared, he adds.
“C-level executives are the biggest targets and the easiest to socially engineer,” he says. “Attackers will even target their home networks and install software that captures their passwords. The next time the CFO logs into work from home – bingo, they're in.”
This is why phishing emails are still the most common form of social engineering attack, nearly two decades after they first appeared. Most enterprises know enough to harden their systems, fortify their firewalls, and deploy mitigation measures when attacked. But human beings are always the weakest link in any security chain.
Why launch a frontal attack on a fortress when you can convince somebody to let you in the back door?
It's not just newbies. Even technology sophisticated users can be snared. That's because some people just can't help themselves, says Dave Amsler, founder of Foreground Security. They see a link and they have to click it. Like KnowBe4, Foreground does pre-emptive security screening for clients, sending out fake phishing emails to a select group of employees, determining who clicked the links, and then following up with training on how to avoid becoming phish bait.
“But there was this one guy guy just kept clicking the links, year after year,” says Amsler. “Even after he was trained repeatedly not to open attachments or click on links. One year, when he wasn't part of the test bed, someone forwarded the bogus email to him. Naturally, he clicked on it.”
The company eventually had to let him go, says Amsler. His job? Software developer.
Are you smarter than Google?
What's both fascinating and frightening to me about this story is how interconnected everything has become. One person screws up and gets duped by a bogus email, and half a planet away the New York Times goes down.
The moral here: You're not putting yourself at risk by being naive or stupid or just curious; you could be risking the rest of us.
Remember, when Google got pwned by Chinese cyberspies in 2011, it was from a phishing attack. If it can happen to brainiacs at Google, it can happen to me or you.
Got a question about social media or privacy? TY4NS blogger Dan Tynan may have the answer (and if not, he’ll make something up). Follow him on Twitter: @tynanwrites. For the latest IT news, analysis and how-to’s, follow ITworld on Twitter and Facebook.
Now read this: