The Reuters Website on June 22 was briefly impacted by an attack launched by the Syrian Electronic Army (SEA). The SEA is a Syrian activist group loosely affiliated with the government of Bashar al-Assad and is no stranger to attacking media outlets to get its messages out.
In the attack, the SEA didn’t exploit the reuters.com site directly, but rather by way of a third-party widget delivered by content discovery platform Taboola. Taboola widgets are embedded on reuters.com pages and were redirecting users for one hour, between 7 a.m. 8 a.m. EDT on June 22. In a blog post, Adam Singolda, CEO and founder of Taboola, admitted that though the breach started at 7 a.m., it wasn’t actually detected until 7:25 a.m.
“While we use 2-step authentication, our initial investigation shows the attack was enabled through a phishing mechanism,” Singolda stated. “We immediately changed all access passwords, and will continue to investigate this over the next 24 hours.”
This is particularly troublesome for a number of reasons. In many cases, security experts recommend the use of two-step (or two-factor) authentication as a cure-all for limiting the risk of phishing exploits. With two-factor authentication, a second password (or factor) is required for a user to log in. That means that if an attacker (in this case, the SEA) was able to trick a user into giving up his or her password, they’d still be missing the second factor, which is typically generated through an SMS message or a specific device token.
So either there is a flaw in the two-factor mechanism used by Taboola or there is a way for attackers like the SEA to bypass the second security mechanism. In any event, this incident might serve to place doubt in the minds of security professionals about their assumptions on the security provided by two-factor authentication.
In terms of the SEA, this is just another successful exploit for the group, once again going after a media organization by way of a third-party widget. Back in August 2013, the SEA was able to redirect traffic from The Washington Post due to an exploit of the Outbrain third-party widget for content discovery. The SEA has also taken aim at the ShareThis.com content sharing technology in another widget-based attack methodology. In the past, the SEA has also gone after media outlets directly, including an attack against the Twitter accounts of CNN in January of this year.
All this means is that we know the modus operandi of the SEA at this point. It targets media organizations by way of the weakest link in a phishing attack. The attack on Reuters and its partner Taboola once again proves that widgets can be a risk to content providers, no matter how well they secure the rest of their own infrastructure. The only real solution to the problem is vigilance at all levels of the content delivery stack.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.