Several domains including New York Times and Twitter ones attacked by Syrian Electronic Army

August 27, 2013 | Jaime Blasco
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

During the last few hours several domains including the one from The New York Times have been redirected to a Syrian Electronic Army server. Here is the list of domains pointing to that server:

Returned 39 RRs in 1.50 seconds.
sokiland.fr.nf. A 141.105.64.37
sea.sy. A 141.105.64.37
m.sea.sy. A 141.105.64.37
mob.sea.sy. A 141.105.64.37
www.mob.sea.sy. A 141.105.64.37
leaks.sea.sy. A 141.105.64.37
www.leaks.sea.sy. A 141.105.64.37
storm-paradize.us. A 141.105.64.37
www.storm-paradize.us. A 141.105.64.37
dns1.storm-paradize.us. A 141.105.64.37
dns2.storm-paradize.us. A 141.105.64.37
storm-paradize.biz. A 141.105.64.37
ns1.storm-paradize.biz. A 141.105.64.37
ns2.storm-paradize.biz. A 141.105.64.37
sea.twimg.com. A 141.105.64.37
sea2.twimg.com. A 141.105.64.37
nytimes.com. A 141.105.64.37
sea.nytimes.com. A 141.105.64.37
sea4.nytimes.com. A 141.105.64.37
sharethis.com. A 141.105.64.37
w.sharethis.com. A 141.105.64.37
qatar-leaks.com. A 141.105.64.37
www.qatar-leaks.com. A 141.105.64.37
perfectpsyche.com. A 141.105.64.37
storm-paradize.com. A 141.105.64.37
www.storm-paradize.com. A 141.105.64.37
syrianelectronicarmy.com. A 141.105.64.37
ns1.syrianelectronicarmy.com. A 141.105.64.37
ns2.syrianelectronicarmy.com. A 141.105.64.37
www.syrianelectronicarmy.com. A 141.105.64.37
leaks.syrianelectronicarmy.com. A 141.105.64.37
zonemu.net. A 141.105.64.37
landesmusic.net. A 141.105.64.37
storm-paradize.net. A 141.105.64.37
storm-paradize.org. A 141.105.64.37
www.storm-paradize.org. A 141.105.64.37
ideal-dimension.org. A 141.105.64.37
www.ideal-dimension.org. A 141.105.64.37
dim-mag.ideal-dimension.org. A 141.105.64.37

We can find the domain nytimes.com in the list as well as some Twitter domains such as twimg.com. As we can see in the whois data for twimg.com:

Domain Name………. twimg.com
Creation Date…….. 2008-09-23
Registration Date…. 2010-07-04
Expiry Date………. 2014-09-23
Organisation Name…. Twitter, Inc.
Organisation Address. 1355 Market Street
Organisation Address. Suite 900
Organisation Address.
Organisation Address. San Francisco
Organisation Address. 94103
Organisation Address. CA
Organisation Address. UNITED STATES

Admin Name……….. SEA SEA
Admin Address…….. SEA
Admin Address…….. Suite 900
Admin Address……..
Admin Address. San Francisco
Admin Address…….. 94103
Admin Address…….. CA
Admin Address…….. UNITED STATES
Admin Email………. [email protected]
Admin Phone………. +1.4152229670
Admin Fax………… +1.4152220922

Tech Name………… SEA SEA
Tech Address……… 1355 Market Street
Tech Address……… Suite 900
Tech Address………
Tech Address……… San Francisco
Tech Address……… 94103
Tech Address……… CA
Tech Address……… UNITED STATES
Tech Email……….. [email protected]
Tech Phone……….. +1.4152229670
Tech Fax…………. +1.4152220922
Name Server………. ns27.boxsecured.com
Name Server………. ns28.boxsecured.com

It is very likely that the registrant for those domains has been compromised since the nytimes.com domain is also showing the following:

Domain Name………. nytimes.com
Creation Date…….. 1994-01-18
Registration Date…. 2011-08-31
Expiry Date………. 2014-01-20
Organisation Name…. SEA
Organisation Address. 620 8th Avenue
Organisation Address.
Organisation Address.
Organisation Address. New York
Organisation Address. 10018
Organisation Address. NY
Organisation Address. UNITED STATES

Admin Name……….. SEA SEA
Admin Address…….. SEA
Admin Address…….. 620 8th Avenue
Admin Address……..
Admin Address. Syria
Admin Address…….. 10018
Admin Address…….. SY
Admin Address…….. SYRIAN ARAB REPUBLIC
Admin Email………. [email protected]
Admin Phone………. +1.2125561234
Admin Fax…………

Tech Name………… NEW YORK TIMES DIGITAL
Tech Address……… 229 West 43d Street
Tech Address………
Tech Address………
Tech Address……… New York
Tech Address……… 10036
Tech Address……… NY
Tech Address……… UNITED STATES
Tech Email……….. [email protected]
Tech Phone……….. +1.2125561234
Tech Fax…………. +1.1231231234
Name Server………. ns27.boxsecured.com
Name Server………. ns28.boxsecured.com

We will keep you up to date once we discover more information about how the Syrian Electronic Army took over the domain names.

Stay safe!

Update:

It seems other domains such as huffingtonpost.co.uk and twitter.co.uk. were also affected:

Rdata results for ANY/ns1.syrianelectronicarmy.com.

Returned 6 RRs in 0.02 seconds.

sea.sy. NS ns1.syrianelectronicarmy.com.
twitter.co.uk. NS ns1.syrianelectronicarmy.com.
huffingtonpost.co.uk. NS ns1.syrianelectronicarmy.com.
twimg.com. NS ns1.syrianelectronicarmy.com.
nytimes.com. NS ns1.syrianelectronicarmy.com.
sharethis.com. NS ns1.syrianelectronicarmy.com.

Jaime Blasco

About the Author: Jaime Blasco
Jaime Blasco is a renowned Security Researcher with broad experience in network security, malware analysis and incident response. At AlienVault, Jaime leads the Lab Intelligence and Research team that leads the charge of researching and integrating threat intelligence into detection mechanisms. Prior to working at AlienVault he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. He is based in San Francisco. Jaime's work in emerging threats and targeted attacks is frequently cited in international publications such as New York Times, BBC, Washington Post and Al Jazeera.
Read more posts from Jaime Blasco ›

TAGS:

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL