How Hacktivists Have Targeted Major Media Outlets

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.darkreading.com/advanced-threats/media-increasingly-targeted-as-hacktivis/240160285

Global conflicts have increasingly led tech-savvy protesters and
loyalists to express their views online by hacking, and while many
groups have focused on attempting to damage or deface government
websites, others have focused on getting the word out by attacking the
media.

In the latest attacks, the Syrian Electronic Army (SEA), a group that
supports Syrian President Bashar al-Assad, compromised third-party
link network Outbrain, allowing the group to change some of the
third-party content on at least four major news sites, including The
Washington Post, Time, and CNN. Like other hacktivists, the SEA is
looking to get their message out and media sites have the biggest
payoff, says Jason Lancaster, senior intelligence analyst with HP
Security Research.

"They are going after media, because they want to propagate their
message," Lancaster says. "When they attack media organizations, even
if they are not successful, their message is, in a way, still being
propagated."

The attacks are not the first time the political hackers have taken a
stand against media firms. In 2001, the Honkers Union of China defaced
a number of sites, including news organization United Press
International, protesting a collision between a U.S. spy plane and a
Chinese fighter jet that resulted in the death of the pilot, Wang Wei.
Last year, hackers claiming a link to Anonymous defaced and attacked
websites in China to protest the country's censorship policies.

In the last three months, the Syrian Electronic Army has compromised
numerous Twitter accounts, including those used by major news
services, such as the Associated Press, Agence France-Presse (AFP) and
Reuters. In addition, the group has hacked a variety of other news
organizations, reportedly including National Public Radio (NPR), the
British Broadcasting Corp. (BBC), and Al Jazeera.

First coming to light in 2011, the Syrian Electronic Army has not been
positively linked to the Assad regime, but has taken a pro-Assad
stance and criticized Western media for "fabricated and false news"
about what is happening in Syria, according to Hewlett-Packard's
analysis of the group.

The SEA has apparently refrained from attacking for financial gain,
and instead focuses on gaining access to specific sites and posting
fictitious stories supporting their agenda, says Scott Hazdra,
principal security consultant for Neohapsis.

"Their mission is to post messages, deface a site, and cause
disruption in such a way so that there is reporting on what they have
done," Hazdra says. "That will draw attention to their agenda."

Phishing the media
In most cases, the hacktivists have used straightforward phishing
techniques, sending tailored e-mail messages to a small number of
media employees.

In the case of the hack of satirical news site The Onion, the e-mail
read: "Dear The Onion Journalists: Please read the following article
for its importance: [link] Thanks & Regards." The link in the e-mail
message lead to a malicious site that requested the user's Google Apps
credentials before redirecting them to their Gmail account.

"Leveraging relatively simple methods like phishing isn't new, but it
is fairly prevalent," says Ted Ross, director of field intelligence
for HP Security Research. "It is still pretty easy to target and get
an assistant or non-technical staff to click on a link and then get
their credentials."

The same scenario played out in the hack of third-party online
services Social Flow and Outbrain. Phishing e-mails landed in the
inboxes of a number of employees of Social Flow, which helps companies
manage social media campaigns. While in-house employees were quickly
warned of the threat, the alert was slow in getting out to remote
workers, the company stated in a post-mortem on the incident.

"Unfortunately, an employee working outside the office clicked on the
link and entered an email address and password," Social Flow stated on
its blog. "That person had publishing access to our Twitter account,
Facebook account, and website."

Similarly, Reuters, Associated Press, and Outbrain have all blamed
phishing campaigns for the compromise of their systems and accounts.
Outbrain fingered a message that appeared to come from the CEO, while
an AP employee said that "some of us received an impressively
disguised phishing email."

Fewer third parties, more education
The breaches have demonstrated that many of the third-party widgets,
plugins, and Web services used by media companies come with inherent
risks. Publishers' pages are a mashup of a variety of third-party
content, making the security of any displayed page reliant on the
weakest link in the Web supply chain, says Chris Wysopal, chief
technology officer of Veracode, an application-security firm.

"These websites pull ads and widgets from all over the place," he
says. "People have no idea where all this data is coming from. I don't
think a lot of people have thought about this threat model."

Veracode itself analyzed the risks when considering a third-party
widget to allow users to easily post content from Veracode sites to
their Twitter feeds, Facebook walls, and other social-media sites. The
company's analysis found that the software service communicated with a
wide variety of destinations, including sites in Russia, he says.

"We said, 'Wait a minute, what is this component doing?' It was
pulling code from a bunch of other sites," he says. "We decided that
we couldn't know what was going on, and so we created the
functionality ourselves."

Triaging the threat from third-party widgets is not enough. Companies
also have to minimize their attack surface area, and a large source of
exposure is uneducated employees willing to click on phishing links.
While attackers will generally be able to craft a message to fool just
about anyone, companies should raise the bar by teaching employees not
to click on links from unknown sources, says Neohapsis's Hazdra.

"Every organization is vulnerable to a spearphishing attacks, because
even people who are trained can get tricked," he says. "But there are
a wide variety of controls that can make it harder for the attacker
and minimize damage when they succeed."
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.