When Syrian hackers attacked, Facebook's bacon was saved by security measures

Facebook lockFacebook has been in touch with me about the Syrian Electronic Army (SEA) breaking into MarkMonitor, and the hackers' attempt to hijack the social network's DNS records.

If the SEA had been successful they would have been able to redirect Facebook's visitors to a third party site, perhaps hosting an offensive message, a phishing trap or even malware. But in the end it only resulted in a (brief) change to the site's registrant contact details.

A Facebook spokesman contacted me, sharing the following information:

I wanted to let you know that it may not have been such a close call after all. We use a registry lock and two-factor authentication on our accounts.

So, why didn't that stop the hackers from changing the registrant contact details listed for Facebook.com to point to Syria and a Gmail email address?

The registrant contact details are controlled by the registrar. Registry lock doesn't apply.

Clearly MarkMonitor has suffered from a serious security problem, allowing unauthorised parties to access its administration panel and meddle with the registrant records for many of its customers - including Facebook.

The SEA tweeted an image of a Mark Monitor administrator panel

But the hackers were prevented from doing any further damage in Facebook's case, because the firm had additional protection in place - in the form of a registry lock and two-factor authentication.

A registry lock requires any requests to change a website's DNS settings to be manually verified and authenticated.

Enabling extra security measures can reduce the chance of your own company's website being messed around with by DNS hijackers (hello eBay and PayPal UK...)

Learn that lesson now, before it's your company which ends up making headlines after an embarrassing and very public attack.

If you are on Facebook, and want to be kept updated with news about security and privacy risks, and tips on how to protect yourself online, join the Graham Cluley Security News Facebook page.

Tags: , , , , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , , , , ,

One Response

  1. Douglas Brown

    February 6, 2014 at 3:21 pm #

    DNS pointers are also normally accessed via the same registrar control panel as are the registry lock settings. The two factor authentication may have been the saving grace in this case.

Leave a Reply