Photograph by Angus Oborn, Lonely Planet Images/Getty Images

Read Caption

The New York Times website went down this week thanks to phishing.

Photograph by Angus Oborn, Lonely Planet Images/Getty Images

Gone Phishing: How Major Websites Get Hacked

The New York Times and Twitter are latest targets of Syrian Electronic Army.

Two digital publishing giants, the New York Times and Twitter, succumbed to hackers on Tuesday, with the Times going dark for six long hours and with Twitter forced to reassure its millions of users that their personal information had not been compromised.

Other major media organizations, including the Financial Times and the Washington Post, have been targeted by hackers in recent months.

Some of the attacks were apparently perpetrated by a Russia-based group called the Syrian Electronic Army, which is allied with the embattled regime of Syrian President Bashar Al-Assad.

The surge of attacks raises questions about just how hacking works.

Though the targets of the recent headline-making attacks are big media organizations, security experts warn that anyone who works online may be at risk from the same malicious technique: phishing.

"The number of Internet users who faced phishing attacks over the last 12 months is shocking—it has grown from 19.9 million to 37.3 million, an increase of 87 percent," said Kurt Baumgartner, a security researcher at Kaspersky Lab, a provider of Internet security software and services. "It means that either people don't know about these warning signs or they don't pay attention."

Phishing refers to a type of online scam in which perpetrators trick users into providing sensitive information, such as passwords, PINs, phone numbers, addresses, and Social Security numbers.

Scammers routinely send out millions of phishing emails. Many are designed to look like they come from legitimate institutions, such as banks and service providers, complete with company logos. The emails ask users to click on a link where they will "verify" their account details by typing them in.

Anatomy of an Attack

In the case of the Times attack, hackers appear to have targeted the company that registered the domain name for the Times. That company is Melbourne IT, based in Australia. By maintaining the domain name record for the Times, the company ensures that when users visit, they connect with the newspaper's servers, which displays the expected web content.

Melbourne IT told the Los Angeles Times that hackers had gained access to the user name and password of one of the company's sales partners. With that information, hackers were able to change the domain name records.

So instead of seeing content from the U.S.'s most influential newspaper, browsers to were diverted to a domain apparently held by a group called the Syrian Electronic Army.

Melbourne IT's chief technology officer, Bruce Tonkin, told the Los Angeles Times that the hackers obtained login information for his company's records after they sent targeted phishing emails to his staff.

The emails tricked some of his staff members into sending their credentials to the hackers.

Tonkin said that he had seen copies of the emails and that he had locked the access to user accounts that may have been affected until employees changed their passwords.

Melbourne IT spokesperson Tony Smith told the Los Angeles Times that his company is combing through data logs to see what else the hackers might have tried to do, and that it's willing to work with any law enforcement agencies.

Eileen M. Murphy, a vice president of corporate communications for the New York Times, told National Geographic on Wednesday that, technically, the newspaper's website wasn't hacked.

"The attack was at the site of our domain name registrar and it resulted in traffic being redirected from for many users," she said via email.

What Is the Syrian Electronic Army?

Marc Frons, chief information officer for the New York Times, said in a statement that the hack against his organization was carried out by a group known as "the Syrian Electronic Army (SEA), or someone trying very hard to be them."

The SEA gained prominence in May 2011, amid violence in Syria that eventually spiraled into a civil war. The group's stated mission is to offer a pro-Assad counternarrative to what they view as anti-Assad bias in Western media.

Whether there's any official connection between the hackers and Assad's regime is unclear, but in a speech the Syrian president called the SEA "a real army in a virtual reality."

The SEA has been blamed for attacks on the Financial Times, the Associated Press, and even the Onion, a popular satirical newspaper.

On Tuesday, the SEA posted on Twitter that it had hacked into Twitter's own domain name registry records.

Twitter responded that one image server was affected, impacting some photo services. The company says it regained full control of its services within a few hours, and it claims no personal data was compromised.

Beware of Phishing

According to Microsoft, anyone who uses email should take special care to avoid phishing scams, which can also be used by criminals to target personal bank accounts, social media accounts, or other assets.

If an email seems suspect, it should be deleted right away, Microsoft suggests. Users should not click on any links in the message.

Kaspersky Lab's Baumgartner said phishing emails have a number of signs, including attachments, links, misspellings, and a mismatched "from" field or subject line. They often also use alarming language, warning of an account being closed unless immediate action is taken, for example.

"Sometimes, highly targeted attackers will focus on family members, colleagues, fellow volunteers, and community members. [They] attack them first and reuse their clean emails to attack the true targets in their language," said Baumgartner.

Since scammers often appropriate legitimate company logos, phishing messages can be tricky to spot. But institutions rarely ask for any sensitive data over email. If such information is requested, it's safest to directly type in the company's website URL in your browser, and then enter it there, Baumgartner said.

If you do fall for a phishing email by providing information, you should change your passwords immediately and carefully monitor all accounts.