The Syrian Electronic Army (SEA) is continuing its campaign of attacking online media sites by way of third-party widgets with an alleged attack this week against ShareThis.com. The SEA is a group with ties to Syrian President Bashar al-Assad and last week was implicated in an attack that redirected traffic from The Washington Post.
Jaeson Schultz, threat research engineer for Cisco's Threat Research and Communications (TRAC) Team, first disclosed the incident Aug. 22, based on an analysis of Domain Name System (DNS) records for ShareThis.com.
ShareThis.com, which did not respond to a request for comment from eWEEK by press time, is a widely used third-party tool that appears on many Websites, enabling users to easily share a given page with social networking tools.
After the data was published on the Cisco Security Blog, more information was released by the Syrian Electronic Army themselves, Schultz told eWEEK.
"This included some screen shots of email conversations in which the administrators of ShareThis.com admit their GoDaddy domain account was compromised," Schultz said.
On Aug. 21, ShareThis.com tweeted that it was experiencing some technical difficulties. At 10:21 a.m. on Aug. 22, ShareThis tweeted that it was back up. Schultz's analysis shows that ShareThis.com's DNS nameserver records were changed with its host GoDaddy.com
From GoDaddy's perspective however, there was no breach. "While we can’t get into specifics on a particular customer account [out of respect for their privacy], I can tell you our systems performed exactly as designed," GoDaddy spokesperson Nick Fuller told eWEEK. "There was no security breach."
So how did the SEA allegedly change the ShareThis.com DNS?
Schultz suspects that this attack most likely occurred as many of the SEA's previous attacks: a successful spear-phishing attack followed by culling valuable data from the compromised inbox. As was the case with The Washington Post issue last week, where a third-party widget from Outbrain redirected users to an SEA site, the same type of redirection was likely occurring with the alleged ShareThis.com incident as well.
"While the possibility exists that something more malicious occurred, we have seen no evidence of anything but simple redirection," Schultz said. "The motivation of the SEA seems to be site defacement rather than end-user compromise."
ShareThis regained control over their GoDaddy account sometime in the morning of Aug. 22, and returned the nameservers for their domain to their proper settings, Schultz said.
"There is no indication that the SEA has access to the ShareThis GoDaddy account any longer," Schultz said. "However, since the SEA had access to an email account at ShareThis.com, then it's possible there are other credentials they found, or even other information they can use in future spear-phishing attacks on ShareThis' business partners."
Site owners can tap steps to mitigate the risk of being a victim of a similar kind of attack. First off, Schultz recommends that site owners make sure they aren't storing sensitive information, such as domain account credentials or other passwords inside email inboxes.
Secondly, he suggests that for any sensitive external accounts (social media, domain registration) site owners should take full advantage of all available security features such as account password reset questions and two-factor authentication.
Schultz also recommends that site owners monitor their Websites for unexpected changes, and monitor their Web statistics for unexpected drops in traffic. Educating employees to not always click on links in email is also a good idea.
"Extra alarm bells ought to go off in your head if a link you click takes you to a page where you are prompted to enter a user name and password," Schultz said. "The only time you should type in your user name and password is when you have entered the URL into the location bar yourself."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.