ليست المرة الاولى التى يقوم كراكرز الجيش السورى باختراق رويترز حيث قام الجيش الاليكترونى السورى باختراق رويترز وترك رسالة يقول فيها اى شخص سيحاول تزوير قصة زيارة لسوريا سوف يتم اختراق موقعه وتوجيه زوار موقعة للصفحة التى نحددها له
Earlier today, Reuters was compromised by the Syrian Electronic Army. It isn’t the first time
that occurs. Anyone who would visit try to visit a story about Syria,
would be redirected to a page hosted by the Syrian Electronic Army.
This page
was redirected to this page
So, the question is? How did they do it?
News
organisations have been repeatedly targeted by the Syrian Electronic
Army “for spreading lies about Syria”. The list of organizations that
were compromised by SEA phishing attacks is really long. Most
organizations did deploy some new security components such as two-step
authentication to prevent such attacks from happening.
Reuters
was not compromised this time. Instead, probably frustrated of not
being able to trick Reuters employees into their phishing schemes, they
went after a third-party advertising network that dynamically loads code
into the Reuters website to display their recommendations. The name of
that provider is the New York-based Taboola.
Proof that the Taboola CDN was delivering the redirection
It is still unclear how Taboola was compromised but given SEA’s track record, phishing would be my first guess.
As
many of the previously compromised organizations, Taboola uses Google
Apps. The Syrian Electronic Army has repeatedly used their Google
phishing templates to trick users into giving up their passwords. The
Onion did a (serious) review of how they got tricked, I strongly recommend you to read it.
By
compromising Taboola, the value of the compromise is significantly
higher than just compromising Reuters. Taboola has 350 million unique
users and has partnerships with world’s biggest news sites including
Yahoo!, the BBC, FoxNews, the New York Times… Any of Taboola’s clients
can be compromised anytime now.
What this means for system administrators
If
you’re using 3rd party analytics or advertising networks, your
website’s security relies on the weakest of those since any of them is
able to take over your website (and potentially steal your user’s data
or trick them into installing malware). Websites like Reuters use more
than 30 of these services and thus expose a considerable attack surface.
Reuters’s 3rd party providers. Generated with Disconnect.
Preventing such attacks in the future
As a user, you can block advertising and analytics websites by installing a browser extension such as Disconnect. Not only does it protect you from obsessive tracking on the Internet but it also keeps you safer while surfing!
As a system administrator,
you have to minimize the number of 3rd party providers you need to
trust. Additionally, since phishing seems to be so effective on most
non-technical people, you should deploy two-factor authentication. If
Taboola’s system administration had enforced 2-step auth in Google Apps,
it would probably not have happened.
