Sophos Cloud Optix
High-profile media organisations are no strangers to the attention of hackers, and Reuters has once again fallen victim to the actions of the Syrian Electronic Army (SEA).
Visitors who attempted to read the story “Attack from Syria kills Israeli teen on Golan, Israel says” didn’t see quite what they expected until the original article was restored late on Sunday evening.
Instead, they were faced with a typical SEA message which read:
Hacked by Syrian Electronic Army
Stop publishing fake reports and false articles about Syria!
UK government is supporting the terrorists in Syria to destroy it, Stop spreading its propaganda.
Unlike similar defacements, however, it happened as a result of a compromise at third-party ad provider Taboola, who confirmed the breach:
Today, between 7AM - 8AM EDT, an organization called the “Syrian Electronic Army” hacked Taboola’s widget on Reuters.com.
The intruder was redirecting users that accessed article pages on reuters.com to a different landing page.
Code dynamically inserted into Reuters web pages by the New York-based company appears to have been poisoned by the Syrian Electronic Army in order to redirect visitors to another page under the hackers' control.
As with Viber last year, Taboola confirmed that a successful phishing attack led to the compromise. Company founder and CEO Adam Singolda wrote:
While we use 2-step authentication, our initial investigation shows the attack was enabled through a phishing mechanism. We immediately changed all access passwords, and will continue to investigate this over the next 24 hours.
This method of attack is not uncommon to the SEA which has adopted a similar approach in the past to target popular media websites.
In August 2013 the group were able to take control of the administration panel of Outbrain, a content recommendation service used by many popular websites such as CNN, Time magazine and The Washington Post. This allowed it to plant code that caused visitors to be redirected to the SEA’s own site.
Like Taboola, Outbrain was also compromised following a phishing attack.
Lisa LaCour, Vice President of Marketing at Outbrain, revealed that an email which appeared to come from the company’s CEO had duped some employees into handing over their login credentials.
This latest attack again highlights the risks posed by social engineering attacks which can be performed by just about anyone, irrespective of their level of technical knowledge.
Companies need to consider security in a broad context and to not rely solely upon traditional server-based defenses.
Instead, a holistic view is required that also encompasses the risks posed by third-party advertising networks and analytics providers, as well as from the company’s own employees who may lack the training and awareness required to be able to spot the dangers posed by social engineering.
This leaves me with a lot of questions. Honest questions, not rhetorical ones, so any answers appreciated!
1) It seems strange for SEA to show their hand like this– instead of using an exploit, why not just buy ad space?
2) What’s preventing organizations from purchasing ad-space from these networks and using malicious inserts? In other words– why are we still worried about visiting questionable sites when every site is full of third-party code in the form of advertisements?
Poisoned ads are indeed a real problem, and one we have written about frequently on Naked Security.
Third party ads can not only inject dodgy content into otherwise trustworthy web properties, but also inject it in a way that makes it harder to find, because it doesn’t necessarily show up all the time. If you report a suspected poisoned ad to SophosLabs, for example, it might have vanished by the time our guys go and look, or it might only show up as dangerous on every 3rd, 6th, 112th page reload…which can make dealing with infected ad servers very frustrating!
As to “why are we still worrying about questionable sites?”
Well, posisoned ads are a problem *in addition to* plain old “questionable sites,” not instead of. That’s an every-thorny issue in computer security: when new threats appear, they rarely replace old problems, but rather add to them. So we have to live with all the hassles of the past *plus* the new stuff.
Thanks! I’ll be sure to look around Naked Security for more about poisoned ads.
How can you phish your way through a 2-step authentication system?
Here’s one way:
http://nakedsecurity.sophos.com/2013/04/19/anatomy-of-a-phish-how-to-spot-a-man-in-the-middle/
Without 2FA the crooks can harvest your credentials (e.g. username and password) using a fake login page, produce some sort of believable “error” to explain why your “login” failed, and then use those credentials later at their leisure – could be today, tomorrow, next week, next month.
In the banking example in the article above, the crooks harvest your credentials and use them *immediately* to initiate a login on your bank’s site. (Manually or automatically, doesn’t matter, it just has to be quick.)
The bank sends *you* an SMS code but asks the *crooks* to type it in. So they ask you to type it for them, via the phishing site 🙂
If you put in the 2FA code, the crooks now they have your password plus a currently-valid 2FA code that they can use for themselves. Provided it’s all done quickly enough, you won’t be alerted by unusual delays, and they will get the 2FA code in time to use it before it expires.
The main difference to old-style phishing is that they have to defraud you in parallel with the phish, and they have to phish you every time they want to do a dodgy transaction.
I see, very interesting! A two-step phish! Thanks for the info
Also, if the crooks can get malware onto your phone (perhaps it is less well protected than your desktop) that intercepts SMSes, then they can start using old-school phishing techniques to harvest your “static” credentials, like username and password, knowing that they have as good a removed the second factor of authentication from the equation.