Hackers from the Syrian Electronic Army have simultaneously targeted several news sites by breaching a single supplier.
The activists managed to hack the websites of CNN, Time and the Washington Post on yesterday by breaching Outbrain, a firm which publishes content recommendations on those sites.
That resulted in some WashingtonPost.com and Time.com customers being redirected to the website of the Syrian Electronic Army when they clicked on the content from Outbrain, said Outbrain Vice President Lisa LaCour. The CNN International site briefly displayed a headline that said "Hacked by SEA," she said.
The latest attack by the group, which supports Syrian President Bashar al-Assad and has been linked to several high profile attacks, was significant because of the targeting of a supplier whose content is published on multiple platforms.
In previous campaigns linked to the Syrian Electronic Army, hackers have breached networks using similar tactics. But in those cases emails were sent to employees of a single specific media outlet they were targeting, which made preparations for the attacks more labour intensive.
Outbrain, which posts content on a large number of prominent news sites, took down its entire network at about 11am EDT (3pm GMT) yesterday, before the hackers could do any more damage, LaCour said.
Outbrain said the hackers got in after sending a phishing email to all company employees on Wednesday that purported to be from the CEO. An employee provided login credentials in response to that email and then the hackers were able to get other credentials for accessing internal systems, the company said.
Chris Wysopal, chief technology officer for software security firm Veracode, said he believes that hackers will increasingly choose to go after third-party providers because their security is likely to be more lax than that of their customers.
"As the Internet becomes more interconnected, this risk is going to increase," he said
Bill Walker, technical director and cyber security specialist from QA, said: “A lock is only as strong as the individual holding the key. We can all employ the toughest firewalls and web filters but in the end it comes down to use as individuals.
“All businesses have a responsibility to enforce clear training around password and cyber security. They must be extra vigilant in order to protect their reputation and maintain their customers trust.”
He added: “It sounds obvious, but individuals and organisations continually get breached from such a basic and fundamental lack of control.”