This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Syrian Electronic Army attacks several sites for the price of one

Share this article:

It only took one attack last week, but it was enough to allow the Syrian Electronic Army (SEA) to compromise The Washington Post, CNN and Time.  


On Wednesday, visitors who clicked recommendation links featured on any of the the victim sites may have been redirected to pages controlled by the pro-Assad hacker collective. The links were said to have contained political messages and did not serve any malicious content.


The SEA took claim for the attacks via Twitter, explaining it was facilitated – and in a short time – by a compromised third-party known as Outbrain, a content recommendation service used by more than 90,000 websites and blogs.


Access to Outbrain enabled the attackers to infect the targeted sites.


A successful phishing attack likely provided the entry in, Chris Wysopal, co-founder and chief technology officer for application security company Veracode, told on Monday. He explained that official-looking emails were sent to Outbrain employees, appearing to come from CEO Yaron Galai.


Each email contained an embedded link that, when followed, led to a page asking employees to enter their corporate usernames and passwords. At least one phish was successful, and that information was sent back to the attackers.


“Once the SEA had those credentials, they could change the content Outbrain published to their customers – [thus] changing the content that is displayed on those websites,” Wysopal said, explaining future implications could be significant, especially if the end goal is something malicious and not just to spread a political message.


Outbrain responded by taking down its service and successfully blocking the intruders, making a public announcement and by improving security to prevent these kinds of attacks. All other services on the media websites do not appear to have been affected.


Wysopal said third-party organisations must be held accountable and that the media industry and their associates appear to be skimping on security. He said these types of attacks will continue to happen if larger entities that outsource do not work collaboratively with their partners to set defence standards.


“To prevent these types of attacks from succeeding, organisations should provide security awareness to their staff to help identify and prevent them from falling prey to spear phishing attacks, implement multi-factor and role-based access controls for corporate social networking accounts, enforce a password policy requiring strong passwords and regular password changes, and conduct regular, thorough account access and vulnerability scanning of internet-facing servers, applications and services,” said Scott Hazdra, principal security consultant at security and risk management consulting company Neohapsis.


The SEA has gained notoriety for hijacking Twitter accounts and exploiting vulnerabilities in websites to harvest data. Wysopal said this particular attack was crafty and signals a significant advancement.

Share this article:

SC webcasts on demand

This is how to secure data in the cloud

Exclusive video webcast & Q&A sponsored by Vormetric

As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.

View the webcast here to find out more

More in News

Cyber security still a learning curve for most companies

Cyber security still a learning curve for most ...

Poor network visibility, outdated security tools, a skills shortage and a lack of control in the cloud are just some of the reasons companies are struggling with cyber-security, say two ...

WorldPay hacker sentenced to 11 years for role in £6 million scheme

WorldPay hacker sentenced to 11 years for role ...

An Estonian man, who helped hack payment processor RBS WorldPay in 2008, has now been sentenced to 11 years in prison for his involvement in the £5.9 (US$ 9.4 million) ...

'Sophisticated' Chinese hackers launched attacks against 43,000 computer systems

'Sophisticated' Chinese hackers launched attacks against 43,000 computer ...

A new report reveals that a Chinese cyber-espionage group is closely affiliated with government and carried out attacks against the likes of Fortune 500 companies and government agencies.