Syrian hacktivists find new way to target Reuters

The Syrian Electronic Army (SEA) has found a new way of targeting the Reuters news agency, highlighting the need for greater supply chain and partner security.  

Since May 2011, the hacktivist group, which is loyal to Syrian president Bashar al-Assad, has attacked several media organisations.

In July 2013, the Thompson Reuters Twitter account was suspended for investigation after it taken over by the SEA, which tweeted links to several political cartoons supporting Assad.

At the time, security analysts said the SEA's success suggested that media firms still had a way to go in protecting themselves from phishing attacks that tricked employees into revealing their Twitter account credentials.

But in the latest attack on Reuters at the weekend, the SEA was able to redirect visitors to its own content, despite enhanced security, by going through a third-party advertising network instead.

The redirection was achieved by compromising New York-based Taboola, which loads code into the Reuters website to display recommended web content, according to security researcher Frederic Jacobs.

“It is still unclear how Taboola was compromised, but given SEA’s track record, phishing would be my first guess,” he wrote in an article posted on Medium.com.

According to Jacobs, compromising Taboola makes the value of the compromise significantly higher than just compromising Reuters.

“Taboola has 350 million unique users and has partnerships with the world’s biggest news sites, including Yahoo, the BBC, Fox News and the New York Times,” he said.

The latest SEA attack could mean any of Taboola’s clients could now be compromised at any time, Jacobs warned.

The Taboola attack highlights that fact that any website’s security is dependent on the weakest of any third-party analytics or advertising networks.

“Any of them is able to take over your website and potentially steal your users’ data or trick them into installing malware,” said Jacobs.

To prevent such attacks, system administrators should minimise the number of third-party providers they need to trust and ensure that two-factor authentication is used for all credentials, he said.