Wednesday29 March 2023

Syrian Electronic Army Hacks Reuters Ad Widget Redirects Readers

Reading time is around minutes.

Our first bit of news this morning is a piece about the SEA (Syrian Electronic Army) hacking into an ad plug-in (widget) on the Reuters new page that allowed them to redirect readers to new landing pages. Now, while the hack is serious, at the time of this writing it does not appear there was any additional payload pushed out to end users. All that happened was readers looking for news stories were redirected to a new page that slammed western media.

What is interesting about the hack is that the simple compromise of an ad service (Taboola) was able to inflict this damage. At no time was the actual Reuters page changed. Taboola the ad agency in question admitted that they were responsible for the issue and also stated that they were able to clean up the issue in about 35 minutes once detected. The total time of the hack was about an hour.

Now to make things even more interesting Taboola claims they use two factor authentication, but still fell victim due to a phishing scam. This means that the SEA was able to get through the mainline defenses by compromising someone on the inside with access to what they wanted.

This brings into question just how secure are the companies that manage the ads on sites. This is not the first time we have seen malicious code in an ad module affect readers. Fortunately this time it was a simple redirect and not the spread of malware. If the SEA had a much more malicious intent in mind they could have affected a large number of systems by dropping the code onto anyone that happens by (an hour is a long time).

As of this writing Taboola says they have fixed the entry vector and restored the ad module to proper working order. They have yet to respond to claims that the SEA has hacked into their PayPal account.

Tell us what you think in our Forum

Last modified on Tuesday, 24 June 2014 06:40

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.