Visitors who attempted to read the story “Attack from Syria kills Israeli teen on Golan, Israel says” didn’t see quite what they expected until the original article was restored late on Sunday evening.
Instead, they were faced with a typical SEA message which read:
Hacked by Syrian Electronic Army
Stop publishing fake reports and false articles about Syria!
UK government is supporting the terrorists in Syria to destroy it, Stop spreading its propaganda.
Unlike similar defacements, however, it happened as a result of a compromise at third-party ad provider Taboola, who confirmed the breach:
Today, between 7AM - 8AM EDT, an organization called the “Syrian Electronic Army” hacked Taboola’s widget on Reuters.com.
The intruder was redirecting users that accessed article pages on reuters.com to a different landing page.
Code dynamically inserted into Reuters web pages by the New York-based company appears to have been poisoned by the Syrian Electronic Army in order to redirect visitors to another page under the hackers' control.
As with Viber last year, Taboola confirmed that a successful phishing attack led to the compromise. Company founder and CEO Adam Singolda wrote:
While we use 2-step authentication, our initial investigation shows the attack was enabled through a phishing mechanism. We immediately changed all access passwords, and will continue to investigate this over the next 24 hours.
This method of attack is not uncommon to the SEA which has adopted a similar approach in the past to target popular media websites.
In August 2013 the group were able to take control of the administration panel of Outbrain, a content recommendation service used by many popular websites such as CNN, Time magazine and The Washington Post. This allowed it to plant code that caused visitors to be redirected to the SEA’s own site.
Like Taboola, Outbrain was also compromised following a phishing attack.
Lisa LaCour, Vice President of Marketing at Outbrain, revealed that an email which appeared to come from the company’s CEO had duped some employees into handing over their login credentials.
This latest attack again highlights the risks posed by social engineering attacks which can be performed by just about anyone, irrespective of their level of technical knowledge.
Companies need to consider security in a broad context and to not rely solely upon traditional server-based defenses.
Instead, a holistic view is required that also encompasses the risks posed by third-party advertising networks and analytics providers, as well as from the company’s own employees who may lack the training and awareness required to be able to spot the dangers posed by social engineering.