The Syrian Electronic Army (SEA) has followed up last week’s attacks on The Sunday Times by successfully if briefly hijacking content embedded by the Taboola ad network on Reuters’ news website.
According to an admission by Taboola, the SEA breached its defences after a phishing attack that found a way around the firm’s two-factor authentication security. This allowed the attackers to change links embedded on Reuters news pages to a site hosting its own message.
"Stop publishing fake reports and false articles about Syria!,” read the message, identical in fact to the one posted on defaced The Sunday Times and The Sun newspaper websites only days ago.
“The breach was detected at approximately 7:25am, and fully-removed at 8am. There is no further suspicious activity across our network since, and the total duration of the event was 60 minutes,” countered Taboola.
The site had now changed all its passwords, the message said.
Although attacks like this grab attention it appears that defenders are now reacting far quicker to successful compromises. In 2013, it would be hours before sites returned to normal, now it is more likely to be under an hour or even minutes; the newspaper attack was taken down in only 20 minutes for instance.
What is also clear is that faced with better-secured websites, the SEA is going after third-parties associated with those sites that might or might in some cases not have the same level of defences.
This has been a tactic for a while. A good example was the attack earlier this year on domain management firm MarkMonitor that also targeted Reuters.
The most infamous example was the successful hack of Melbourne IT in August 2013 that allowed the SEA to change the domain entries for domains includingnytimes.com, huffingtonpost.co.uk, and twitter.co.uk. That attack single-handedly boosted the fortunes of domain protection companies the world over.