It only took one attack last week, but it was enough to allow the Syrian Electronic Army (SEA) to compromise The Washington Post, CNN and Time.
On Wednesday, visitors who clicked recommendation links featured on any of the the victim sites may have been redirected to pages controlled by the pro-Assad hacker collective. The links were said to have contained political messages and did not serve any malicious content.
The SEA took claim for the attacks via Twitter, explaining it was facilitated – and in a short time – by a compromised third-party known as Outbrain, a content recommendation service used by more than 90,000 websites and blogs.
Access to Outbrain enabled the attackers to infect the targeted sites.
A successful phishing attack likely provided the entry in, Chris Wysopal, co-founder and chief technology officer for application security company Veracode, told SCMagazine.com on Monday. He explained that official-looking emails were sent to Outbrain employees, appearing to come from CEO Yaron Galai.
Each email contained an embedded link that, when followed, led to a page asking employees to enter their corporate usernames and passwords. At least one phish was successful, and that information was sent back to the attackers.
“Once the SEA had those credentials, they could change the content Outbrain published to their customers – [thus] changing the content that is displayed on those websites,” Wysopal said, explaining future implications could be significant, especially if the end goal is something malicious and not just to spread a political message.
Outbrain responded by taking down its service and successfully blocking the intruders, making a public announcement and by improving security to prevent these kinds of attacks. All other services on the media websites do not appear to have been affected.
Wysopal said third-party organisations must be held accountable and that the media industry and their associates appear to be skimping on security. He said these types of attacks will continue to happen if larger entities that outsource do not work collaboratively with their partners to set defence standards.
“To prevent these types of attacks from succeeding, organisations should provide security awareness to their staff to help identify and prevent them from falling prey to spear phishing attacks, implement multi-factor and role-based access controls for corporate social networking accounts, enforce a password policy requiring strong passwords and regular password changes, and conduct regular, thorough account access and vulnerability scanning of internet-facing servers, applications and services,” said Scott Hazdra, principal security consultant at security and risk management consulting company Neohapsis.
The SEA has gained notoriety for hijacking Twitter accounts and exploiting vulnerabilities in websites to harvest data. Wysopal said this particular attack was crafty and signals a significant advancement.