How Reuters got compromised by the Syrian Electronic Army

Hint: It isn’t actually Reuters’ fault

Earlier today, Reuters was compromised by the Syrian Electronic Army. It isn’t the first time that occurs. Anyone who would try to visit a story about Syria, would be redirected to a page hosted by the Syrian Electronic Army.

This page

was redirected to this page

So, the question is? How did they do it?

News organisations have been repeatedly targeted by the Syrian Electronic Army “for spreading lies about Syria”. The list of organizations that were compromised by SEA phishing attacks is really long. Most organizations did deploy some new security components such as two-step authentication to prevent such attacks from happening.

Reuters was not compromised this time. Instead, probably frustrated of not being able to trick Reuters employees into their phishing schemes, they went after a third-party advertising network that dynamically loads code into the Reuters website to display their recommendations. The name of that provider is the New York-based Taboola.

Proof that the Taboola CDN was delivering the redirection

It is still unclear how Taboola was compromised but given SEA’s track record, phishing would be my first guess.

As many of the previously compromised organizations, Taboola uses Google Apps. The Syrian Electronic Army has repeatedly used their Google phishing templates to trick users into giving up their passwords. The Onion did a (serious) review of how they got tricked, I strongly recommend you to read it.

By compromising Taboola, the value of the compromise is significantly higher than just compromising Reuters. Taboola has 350 million unique users and has partnerships with world’s biggest news sites including Yahoo!, the BBC, FoxNews, the New York Times… Any of Taboola’s clients can be compromised anytime now.

What this means for system administrators

If you’re using 3rd party analytics or advertising networks, your website’s security relies on the weakest of those since any of them is able to take over your website (and potentially steal your user’s data or trick them into installing malware). Websites like Reuters use more than 30 of these services and thus expose a considerable attack surface.

Reuters’s 3rd party providers. Generated with Disconnect.

Preventing such attacks in the future

As a user, you can block advertising and analytics websites by installing a browser extension such as Disconnect. Not only does it protect you from obsessive tracking on the Internet but it also keeps you safer while surfing!

As a system administrator, you have to minimize the number of 3rd party providers you need to trust. Additionally, since phishing seems to be so effective on most non-technical people, you should deploy two-factor authentication. If Taboola’s system administration had enforced 2-step auth in Google Apps, it would probably not have happened.

Update 1:

The Syrian Electronic Army now tweeted a picture showing the balance on Taboola’s PayPal account. The fact that Taboola’s founder is Israeli with experience in the army might have been a deciding factor for the Syrian Electronic army to go after them. They previously targeted Viber whose CEO and founder, Talmon Marco, used to be Chief Information Officer for the Israeli Defense Forces Central Command.

Update 2:

Taboola issued an official statement acknowledging they got compromised by the Syrian Electronic army and confirmed my guess that SEA used a phishing mechanism to get Taboola credentials.

Today, between 7AM — 8AM EDT, an organization called the “Syrian Electronic Army” hacked Taboola’s widget on
The intruder was redirecting users that accessed article pages on to a different landing page.
The breach was detected at approximately 7:25am, and fully-removed at 8am. There is no further suspicious activity across our network since, and the total duration of the event was 60 minutes.
While we use 2-step authentication, our initial investigation shows the attack was enabled through a phishing mechanism. We immediately changed all access passwords, and will continue to investigate this over the next 24 hours.

Does this mean that the Syrian Electronic Army now has a trick to bypass two-step authentication? I doubt so.