Statement regarding reported domain hijacking incident
UPDATED STATEMENT ON REPORTED SECURITY INCIDENTS
Melbourne, Australia - 29 August 2013 - Melbourne IT has continued its investigations into two security incidents being reported in the media. While we believe these incidents are related to the same third-party attacker, they are separate from a security perspective and below is a summary of our investigations.
Domain hijacking incident
Staff of an overseas-based reseller unwittingly responded to a spear phishing attack which allowed attackers to access sensitive information, including usernames and passwords, which was used to access the reseller's account on Melbourne IT systems. This resulted in unauthorized changes to the DNS records of two domain names associated with providing news related to the Syrian conflict.
Once Melbourne IT was notified of the incident, the company:
- changed the affected DNS records back to their previous values
- locked the affected records from any further changes at the .com domain name registry
- changed the account credentials so no further changes could be made
- notified the recipients of the phishing email to update their passwords
- temporarily suspended access to affected user accounts until passwords have been changed.
We continue to review our logs to see if we can obtain information on the identity of the party that has used the account credentials. We are also working closely with our affected reseller to review additional layers of security that we can add for their customers.
Again, we stress that for mission critical names we recommend that domain name owners take advantage of additional registry lock features available from domain name registries including .com and .com.au, as some of the domain names targeted had these lock features active and were thus not affected.
Melbourne IT blog defacement
Late last night, a minor blog site (disused by Melbourne IT since April) was replaced with unauthorized content by a third party attacker (which we believe to be the same perpetrator of the first attack on our reseller).
We believe this incident is the result of a vulnerability in an old version of the software which the blog used and unrelated to the credentials breach at our reseller. We have removed the blog site.
We are continuing to monitor our infrastructure closely and will keep our customers and partners informed of any further developments. We are cooperating with law enforcement authorities globally.