Third-Party Service Providers Scrutinized After SEA's Reuters Hack

One content provider's lapse in spotting the odd behavior of privileged users allowed the Syrian Electronic Army cyber-propaganda group to deface

Reuters Hack

As popular cyber-attack targets continue to make progress in locking down access to their networks and data, attackers searching for other ways to compromise their targets have increasingly focused on another weak point—third-party suppliers and contractors.

On June 23, hackers from the propaganda group known as the Syrian Electronic Army redirected visitors to some Reuters articles to a defacement page that berated the news organizations for "fake reports and false articles about Syria." The attackers did not breach Reuters network, however, but modified a content widget provided by Taboola, which normally allows media sites to monetize their page views.

The SEA fooled one company employee, which the firm refers to as a "user," into giving up their password and then used the access to Taboola's Backstage platform to change the header in the Reuters widget, the company said in an analysis of the attack.

"Taboola widget headers are comprised of an HTML snippet, and the attacker used this capability to add an HTML meta refresh tag that redirected users from Reuters to their own site whenever the Taboola widget was loaded there," Adam Singolda, the company's founder and CEO, said in the statement.

An attacker's search for weaknesses among a target's suppliers has become an increasingly common occurrence and a favored tactic of the Syrian Electronic Army. In August 2013, the group used social engineering to gain access to the New York Times' domain registrar, Melbourne IT, and redirect visitors to a defacement page.

The massive credit data breach of retail-giant Target in November and December 2013 was traced back to the compromise of a heating, ventilation and air conditioning (HVAC) provider's network. In addition, almost two-thirds of retail and hospitality breaches were caused by a compromise of a third-party provider, according to incident response firm Trustwave's 2013 Global Security Report.

The dynamic content linkages that are so common on the Web make the problem very difficult to solve, Rahul Kashyap, head of research at security firm Bromium, told eWEEK. Some Websites allow content from dozens of providers, including advertisers, Web metric firms and third-party content aggregators.

"If you look at it from an attacker’s point for view, this is the sweet spot," he said. "If you can hack an advertising network and get an advertisement on CNN's Website, you could potentially compromise hundreds of thousands of people."

Because most security technology is reactive, detecting and blocking malicious attacks through third-party networks does not work very well, Kashyap said. Content suppliers will likely have to start vetting the content served up to their content clients.

Taboola is already deploying additional measures designed to block malicious content, a company spokesperson told eWEEK. In addition to requiring two-factor authentication to access its Backstage content platform, the company removed the ability to enter Web code into widgets from the Backstage editor.

"We've taken steps to improve and will continue to enhance the security of our network to make them less vulnerable to future breaches and all other malicious attacks," the company said in a statement e-mailed to eWEEK.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...