A hacker group briefly took control of portions of the Washington Post, Time and CNN websites on Thursday after breaking into an article recommendation service used by the news outlets.
The Syrian Electronic Army took credit for the breach, with one member telling the Daily Beast that its ongoing assault on news websites is part of a campaign to call out Twitter for repeatedly shutting down the army’s account. The member said the group has opened up its 16th Twitter account.
The SEA posted screen shots showing that it had entered an administration portal for Outbrain, an article recommendation service that sends visitors to websites by recommending their content at the bottom of online articles of big publishers such as the Post. In this case, the hackers inserted links to a SEA website at the bottom of the articles, which caused some people to be redirected to the SEA page.
Outbrain, which confirmed it was hacked, said its service was now secure but was shut down for further investigation.
The hack is the second this week for the Post, which is being acquired by Amazon.com founder Jeff Bezos. The Post said the Syrian Electronic Army sent an email to a columnist that appeared to be coming from a fellow employee. But it was fraudulent, and when it was opened by the columnist it installed software on the columnist’s computer that allowed the SEA to see his Twitter login information. They then logged in and posted a tweet from the account.
On Tuesday, the SEA said it hacked the New York Post’s Facebook account and some of its reporters’ Twitter accounts. The Associated Press, BBC and other news outlets have been past victims. In most of those attacks, phishing emails were the route into the outlets’ networks.
“Once someone decides they want to target you and use you to get access, it’s no longer easy to defend against,” said Roger Thornton, chief technology officer of the cybersecurity firm AlienVault.
He recounted a phishing attack in which he was the target. Someone had sent him an email that appeared to originate from a federal court in San Diego.
“It was well constructed to look like our company was being sued -- why wouldn’t you open that,” he said. “There’s always going to be a way to hijack your attention no matter how smart you are.”
Once a user clicks a link in a malicious email, or sometimes just even opens it, a package of files is secretly downloaded that typically exploits holes in out-of-date software. Using those holes, hackers can leave behind a set of code. They then can issue commands via the Internet, through hidden chats, images on hacked websites or even social media posts that run that code to monitor keystrokes or steal information, for example.
Thornton said the tactic of using Outbrain to tamper with websites shows the ongoing cat-and-mouse game between hackers and defenders.
“Once they’ve revealed their techniques and they’ve established a way of doing things, you can find a specific solution to thwart that,” he said. “But then they’ll innovate and find a more clever way of doing things.”
Outbrain, however, said it was hacked initially by a phishing email late Wednesday. It appeared to be from Outbrain’s chief executive and lured employees into entering login credentials.
While the iPhone makes it hard to install malicious apps by limiting installations in general, traditional computers are much more open-system. Until that changes, Thornton said to expect more of these cyberattacks.