Third-Party Service Providers Scrutinized After SEA's Reuters Hack
One content provider's lapse in spotting the odd behavior of privileged users allowed the Syrian Electronic Army cyber-propaganda group to deface Reuters.com.As popular cyber-attack targets continue to make progress in locking down access to their networks and data, attackers searching for other ways to compromise their targets have increasingly focused on another weak point—third-party suppliers and contractors. On June 23, hackers from the propaganda group known as the Syrian Electronic Army redirected visitors to some Reuters articles to a defacement page that berated the news organizations for "fake reports and false articles about Syria." The attackers did not breach Reuters network, however, but modified a content widget provided by Taboola, which normally allows media sites to monetize their page views. The SEA fooled one company employee, which the firm refers to as a "user," into giving up their password and then used the access to Taboola's Backstage platform to change the header in the Reuters widget, the company said in an analysis of the attack. "Taboola widget headers are comprised of an HTML snippet, and the attacker used this capability to add an HTML meta refresh tag that redirected users from Reuters to their own site whenever the Taboola widget was loaded there," Adam Singolda, the company's founder and CEO, said in the statement.
An attacker's search for weaknesses among a target's suppliers has become an increasingly common occurrence and a favored tactic of the Syrian Electronic Army. In August 2013, the group used social engineering to gain access to the New York Times' domain registrar, Melbourne IT, and redirect visitors to a defacement page.