Major Media Sites Hacked Through Vendor Outbrain
CNN, The Washington Post, Time magazine and others target of Syrian Electronic Army (SEA)
On Thursday, the Syrian Electronic Army reportedly hacked into Outbrain, a content recommendation company that is used by scores of major media outlets across the web. As a result, the hackers were able to redirect some stories on the websites of the Washington Post, CNN, Time Magazine and others to their own.
The two-arm attack was possible via the popular third-party content provider Outbrain combined with phishing emails to targets at the media outlets.
Outbrain is a service that provides publishers with recommended content from their own site and from other network publishers. Its clients include USA Today, CNN, The Washington Post and Time. By infiltrating Outbrain’s main dashboard, the SEA was also able to target the websites of its clients, including CNN and The Washington Post.
To Outbrain’s credit, they kept their customers well-informed throughout the issue identification and resolution process: As detailed on the Outbrain website:
August 15, 2013
UPDATE #4
We have fully secured the network and resumed service. If you have additional questions about the incident, please do not hesitate to contact us. Any additional updates will be posted here.
In addition, we will be compiling a fuller brief on the episode to share with anyone who would like more information. If you want to receive the brief, please email [email protected].
We apologize for the inconvenience.
UPDATE #3
We have now secured the Outbrain network verifying the integrity of our code and blocking all external access to our systems. We have also restored system settings to their state prior to the attack.
We expect to resume service in the next few hours. We will let you know when the service is fully restored.
Thank you for your patience.
UPDATE #2
Earlier today, Outbrain was the victim of a social engineering attack by the Syrian Electronic Army. Below is a description of how the attack unfolded to help others protect against similar attempts. Updates will continue to be posted to this blog.
On the evening of August 14th, a phishing email was sent to all employees at Outbrain purporting to be from Outbrain’s CEO. It led to a page asking Outbrain employees to input their credentials to see the information. Once an employee had revealed their information, the hackers were able to infiltrate our email systems and identify other credentials for accessing some of our internal systems.
At 10:23am EST SEA took responsibility for hack of a specified news organization, changing a setting through Outbrain’s admin console to label Outbrain recommendations as “Hacked by SEA.”
At 10:34am Outbrain internal staff became aware of the breach.
By 10:40am Outbrain network operations began investigating and decided to shut down all serving systems, degrade gracefully and block all external access to the system.
By 11:03am Outbrain finished turning off its service from all sites where we operate.
We are continuing to review all systems before re-initiating service.
UPDATE #1
We are aware that Outbrain was attacked earlier today and we took down service as soon as it was apparent. The breach now seems to be secured and the hackers blocked out, but we are keeping the service down for a little longer until we can be sure it’s safe to turn it back on securely. Please stayed tuned here or to our Twitter feed for updates.
As detailed on Mashable: “In an email to Mashable, Washington Post managing editor Emilio Garcia-Ruiz said that the SEA “claimed they gained access to elements of our site by hacking one of our business partners, Outbrain.”
The SEA was also targeting Washington Post employees using email-based phishing attacks that have become the group’s modus operandi. In this case, however, it looks like the SEA was able to insert code into the Outbrain widget served on The Washington Post website that redirected to a different webpage.”
A few days ago, Post newsroom employees were targets of a phishing attack that was allegedly by the Syrian Electronic Army, Garcia-Ruiz said. “The attack resulted in one staff writer’s personal account being used to send out a Syrian Electronic Army message,” he said.
“The security of a vendor plug-in that appeared on CNNi.com was briefly compromised today. The issue was quickly identified and (the) plug-in disabled,” said CNN spokesman Matt Dornic.
In a statement, Time Inc. said “content provided by Outbrain that appeared on some of our sites was impacted by the hacking activity at Outbrain. We’re no longer running that content.”
The hacker said that the admin panel of Outbrain is hosted in the local server. However, they managed to login into the panel with the help of VPN and access panel.
As always, at Firestorm, we know that due diligence is an imperative. While written policies are important, training on those policies to keep employees up to date on new vulnerabilities and types of attacks is critical. Once or twice a year training is not enough, and new employees may miss a session window. Including even ten minutes in a weekly meeting to update employees on vulnerabilities and threats allows due diligence to become a part of the corporate culture.
- Use caution when clicking links in emails, opening attachments, or responding with private information.
- NEVER provide user names, passwords, account numbers, tax id numbers, social security numbers, or other private information in response to an email request or enter information into a browser window that you did not type in yourself.
- Always use independent verification to check the authenticity of the email, before opening attachments or clicking links.
- If an email suggests a required action online, sign on by using a trusted browser bookmark/favorite, rather than a link provided in an email.
- If you need to place a phone call to check validity, use a number you trust rather than a number provided in an email.
90% of people are fooled by a well–constructed “phishing” email. Be aware that an email that looks entirely reputable may be designed that way by a fraudster. The email may appear to be official but is actually an attempt to spread a computer virus or collect data. Criminals often send mass emails in hopes of tricking people into sharing confidential information. It is not enough that an email is from an address you recognize.
Outbrain Tech Blog: http://techblog.outbrain.com/2013/08/update-outbrain-security-breach/
“What should we do now?” “What should we say?”