- Apr 25, 2013
- 5,355
The SEA is claiming to have hacked a number of sites, but evidence points to an ad network at the heart of the attacks
The websites of the Independent, the Daily Telegraph, OK magazine, the London Evening Standard and America’s National Hockey League have been “hacked” by the Syrian Electronic Army, the pro-Assad Syrian hacker group.
A portion of visitors to all those sites are presented with a blank screen and a javascript popup telling them “you have been hacked by the Syrian Electronic Army”. The group apparently exploited a fault with a content delivery network (CDN).
Blame fell on the ad network due to the sporadic nature of the outages, which are difficult to replicate and spread over a number of sites.
Such symptoms are common for attacks delivered through an ad or content delivery network, which serves third-party code across a number of websites.
Independent and Telegraph affected
The Independent says that the hack came through the Gigya CDN it uses, writing that “hackers redirected some users to their site or to display their messages, by exploiting the DNS entry – which translates URLs such as independent.co.uk into directions to the site – at GoDaddy, the site’s domain registrar”.
The Telegraph referred the Guardian to two tweets in which it said that “a part of our website run by a third-party was compromised earlier today. We’ve removed the component. No Telegraph user data was affected. Thanks to those who’ve flagged it.”
Ernest Hilbert, a security consultant at Kroll Cyber, agrees that “it was Gigya. It is a DNS takeover, and this is what the Syrian Electronic Army does. Normally, you type in a URL, it goes to a domain name server, and it says ‘those words equal this website’.
“But not every user can get in through one connection, particularly at bigger sites. A CDN means that, because you can’t all fit in through the same door, it sends you to another one, another version of the content. And one of those versions, which hosts copies of all these affected sites, appears to have been compromised by the Syrian electronic army.”
The websites of the Independent, the Daily Telegraph, OK magazine, the London Evening Standard and America’s National Hockey League have been “hacked” by the Syrian Electronic Army, the pro-Assad Syrian hacker group.
A portion of visitors to all those sites are presented with a blank screen and a javascript popup telling them “you have been hacked by the Syrian Electronic Army”. The group apparently exploited a fault with a content delivery network (CDN).
Blame fell on the ad network due to the sporadic nature of the outages, which are difficult to replicate and spread over a number of sites.
Such symptoms are common for attacks delivered through an ad or content delivery network, which serves third-party code across a number of websites.
Independent and Telegraph affected
The Independent says that the hack came through the Gigya CDN it uses, writing that “hackers redirected some users to their site or to display their messages, by exploiting the DNS entry – which translates URLs such as independent.co.uk into directions to the site – at GoDaddy, the site’s domain registrar”.
The Telegraph referred the Guardian to two tweets in which it said that “a part of our website run by a third-party was compromised earlier today. We’ve removed the component. No Telegraph user data was affected. Thanks to those who’ve flagged it.”
Ernest Hilbert, a security consultant at Kroll Cyber, agrees that “it was Gigya. It is a DNS takeover, and this is what the Syrian Electronic Army does. Normally, you type in a URL, it goes to a domain name server, and it says ‘those words equal this website’.
“But not every user can get in through one connection, particularly at bigger sites. A CDN means that, because you can’t all fit in through the same door, it sends you to another one, another version of the content. And one of those versions, which hosts copies of all these affected sites, appears to have been compromised by the Syrian electronic army.”