The pro-Assad ‘Syrian Electroniic Army' continues to make its presence felt, hacking the Reuters website on Sunday, via its ad-serving company Taboola, redirecting users to a message calling for ‘fake reports and false articles about Syria' to be stopped, and saying that the UK government is supporting terrorists in Syria.
Users going to a story about an attack from Syria which killed a teenager in the Israeli-occupied Golan were redirected to a site owned by the SEA.
The attack was achieved by targeting the New York-based advertising network Taboola supplying adverts to Reuters' site according to security researcher Frederic Jacobs who posted his report on medium.com.
Jacobs explained that Taboola dynamically loads code into the Reuters website and the Syrian Electronic Army has repeatedly used their Google phishing templates to trick users into giving up their passwords. Jacobs concluded, “If you're using third party analytics or advertising networks, your website's security relies on the weakest of those since any of them is able to take over your website (and potentially steal your user's data or trick them into installing malware). Websites like Reuters use more than 30 of these services and thus expose a considerable attack surface.”
Users are advised by Jacobs that they can block advertising and analytics websites by installing a browser extension such as Disconnect. For system administrators, Jacob's advice is to minimise the number of third party providers you need to trust, plus deploy two-factor authentication.
The SEA subsequently tweeted the balance on Taboola's PayPal account. Taboola's founder is Israeli with military experience. Other Taboola clients now also potentially at risk of being compromised via their advertising server, including Yahoo!, the BBC, Fox News, and the New York Times.
In a blog post, Taboola CEO Adam Singolda said, “While we use 2-step authentication, our initial investigation shows the attack was enabled through a phishing mechanism. We immediately changed all access passwords, and will continue to investigate this over the next 24 hours.”
Since appearing in 2011, the SEA has defaced hundreds of websites, and is variously described a loose collection of Syrian youth with an indeterminate connection to the Assad regime, to being just two prolific hackers, but there is no denying it has 19,200 followers on its twitter feed.
Chris Boyd, malware intelligence analyst at Malwarebytes commented to SCMagazineUK.com, “This latest attack should reignite the debate on whether we need to be more proactive in how vigorously we block web based advertising. 2FA as a security precaution is a good idea, but without proper training the human link in the chain will be broken by social engineering every time. Instead of a redirect, visitors to Reuters could have been sent to exploits and Malware so this one should serve as a warning shot to reassess which adverts you're blocking and - more importantly - which ones you're letting through.”