Syrian Hackers Subvert Ad Network

Domain Registrar Hack Blocks Sites, Serves SEA Boast
Syrian Hackers Subvert Ad Network

The Syrian Electronic Army hacking group has claimed credit for hacking into an advertising network used by numerous websites, including many media outlets. As a result, some people browsing the affected sites reportedly saw only a blank screen and a JavaScript pop-up message that read: "You've been hacked by the Syrian Electronic Army (SEA)."

See Also: Revealing the Dark Web: How to Leverage Technologies to Alert and Block Dark Web Access

The website outages and defacements reportedly affected more than 80 sites, ranging from the Betty Crocker, Dell and Ferrari to National Geographic, the U.S. National Hockey League, and Verizon Wireless. But a number of media outlets also confirmed that their sites had been disrupted, including New York Daily News, the Canadian Broadcasting Network, CNBC, and the UK's Daily Telegraph, Evening Standard and Independent, among other sites around the world.

A Twitter account that appears to be operated by the SEA - and which in the past has been a reliable source of information about the group - later claimed credit for the Nov. 27 attacks. "Happy thanks giving, hope you didn't miss us! The press: Please don't pretend #ISIS are civilians. #SEA," it said, in apparent reference to the Islamic State of Iraq and the Levant. The account also released a picture of what appeared to be the GoDaddy control panel for Gigya.com.

After the SEA's hacking message began appearing on websites - but only sporadically, and in some geographies - and before the SEA's hacking claim appeared on Twitter - information security experts had already traced the attack to Gigya, which is an advertising network that was being used by all of the sites.

Gigya CEO Patrick Salyer confirmed those reports, saying hackers appeared to have subverted Gigya's advertising network by first hacking into its domain registrar, GoDaddy. Attackers apparently then altered the Gigya site's DNS settings, redirecting the content delivery network Gigya provides to customers "to a server controlled by the hackers, where they served a file called 'socialize.js' with an alert claiming that the site had been hacked by the Syrian Electronic Army," Salyer says, referring to the JavaScript file.

GoDaddy tells Information Security Media Group that the attacker appears to have first compromised the Gigya email account that was registered with GoDaddy. "The attacker then used our standard password reset process to gain GoDaddy account access and made DNS changes," says GoDaddy chief information security officer Todd Redfoot. "We have since assisted the customer in regaining account access and reversing the DNS changes."

Gigya says that beyond the denial-of-service condition that attackers created, and the related website defacement, no other data or functionality was compromised. "To be absolutely clear: neither Gigya's platform itself nor any user, administrator or operational data has been compromised and was never at risk of being compromised," says Salyer. "Rather, the attack only served other JavaScript files instead of those served by Gigya."

Salyer says the attack was detected at 6:45 a.m. Eastern Time, and the company's "whois" record was fixed by 7:40 a.m. Eastern Time. But given the nature of DNS servers - changes often take time to propagate - the fix didn't immediately take effect. "Gigya has the highest levels of security around our service and user data. We have put additional measures in place to protect against this type of attack in the future," Salyer says.

The company didn't immediately respond to a request for comment about what those information security improvements might be. But multiple information security experts have suggested that the company was likely failing to employ two-factor authentication to restrict access to its GoDaddy account, which is a feature that the domain registrar offers. Using two-factor authentication would have made it much more difficult for attackers to access Gigya's GoDaddy account and alter its DNS settings.

Syrian Hackers

This is far from the first attack that's been tied to the SEA, which is a hacking collective that backs - and may be sponsored by - President Bashar al-Assad of Syria. Since early in 2011, Syria has been fighting a bloody civil war in which nearly 200,000 people have reportedly been killed and millions left homeless. The SEA has previously hacked a number of websites and Twitter accounts, often focusing on news outlets - ranging from the BBC and National Public Radio to Reuters and mock news site the Onion - to protest coverage of Assad that it finds unfavorable.

The group's best-known attack to date was arguably its April 2013 hack of the Twitter feed for the Associated Press, and its issuing the following fake post: "Breaking: Two Explosions in the White House and Barack Obama is injured." That tweet, which was quickly recanted by the AP, caused the Dow Jones Industrial Average to plunge 145 points, temporarily erasing $200 billion in value.

SEA Regularly Targets DNS

Gigya isn't the first organization that had its DNS settings forcibly altered by the SEA. In 2013, the group launched a similar attack against both Twitter and The New York Times. While Twitter quickly recovered, the Times website remained unreachable - from some parts of the world - for more than 48 hours following the attack.

"Sadly, attacks of this nature are commonplace, and SEA has chosen the holidays in previous years to step up its activities - so be prepared with your response plan and recovery procedures," says Russ McRee, director of threat intelligence and engineering at Microsoft, in a blog post for the SANS Institute's Internet Storm Center.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.