Sophos Cloud Optix
For a short period of time this morning (UTC -7) the websites of CNN, Time and The Washington Post were redirecting some visitors to the website of the Syrian Electronic Army (SEA).
The SEA have been very busy this week having compromised SocialFlow, The New York Post and others.
It is unclear what the group seems to want to accomplish, aside from drawing attention to their support of Syrian leader Bashar al-Assad.
SEA first caught the attention of Naked Security when the BBC Weather Twitter account was hacked last March.
Since then they hacked several other Twitter accounts including NPR, The Guardian, The Onion and the Financial Times. More recently they have also been attacking web administration panels.
How do they do it? Almost always it boils down to the same basic principle. Human frailness. Phishing. Trickery. Lying. Deceit.
This time it appears they were able to gain control of the administration panel of content recommendation service Outbrain (Disclaimer: Naked Security uses Outbrain to recommend articles).
They posted this screenshot showing the Outbrain administrative panel for CNN:
Once they were in they were able to plant code to redirect visitors of CNN, Time and The Washington Post to their own website.
It is not clear whether they had full administrative control at Outbrain or whether they were simply able to compromise the logins of the three victim institutions.
Outbrain immediately went offline and confirmed the attack on Twitter. Its tech blog states that it believes it has secured the site, but will remain offline a little longer to be sure it is safe to return online.
I don’t imagine these types of attacks are going to go away anytime soon. Too many people are too trusting and too few websites offer mitigating technologies like two-factor authentication.
What is more concerning is that most of what the SEA does to compromise these accounts could be accomplished by anyone. No special skills needed.
Attackers with more malicious intent could be using these techniques to infect millions of internet users. To a degree they are, but they haven’t had the same success with major media outlets that SEA has.
You wouldn’t think I would have to say this in 2013, but I see evidence that it is necessary:
Don't click links in your email and never enter your credentials when you didn't type in the URL into your browser directly. -- Chester Wisniewski
Update: The Syrian Electronic Army has published a screenshot showing them hacking the Outbrain widget for the New York Times as Outbrain began shutting down their service.