2 min read

How the Washington Post was hijacked by the Syrian Electronic Army (again)

Graham CLULEY

May 15, 2015

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
How the Washington Post was hijacked by the Syrian Electronic Army (again)

The Syrian Electronic Army appears to have successfully scalped another high profile media outlet, briefly hijacking the mobile version of the Washington Post website to display pop-up messages claiming that the media is not telling the truth.

hacked-media

For a period of approximately 30 minutes, visitors to m.washingtonpost.com found they were greeted not by the latest news, but by alert boxes saying:

“You’ve been hacked by the Syrian Electronic Army”

“US govt is training the terrorists to kill more Syrians”

“Saudi Arable and its allies are killing hundreds of Yemens [sic] people every day!”

“The media is always lying”

hacked-sea

All fairly standard fare for the notorious Syrian Electronic Army (SEA), who have previously targeted many media outlets including Reuters.

It’s not even the first time that the SEA has attacked the Washington Post. In August 2013 the hacking group successfully redirected readers attempting to read Washington Post articles to the pro-Assad SEA’s website instead.

On that occasion, the hackers managed to compromise the internal email system of Outbrain, a company which provides those “You might also like” content recommendations at the end of articles, and access admin panels to send people browsing news stories on CNN, Time magazine, and the Washington Post to the SEA’s own site instead.

In this latest incident, as Motherboard reports, the hackers claim that they broke into systems belonging to Instart Logic, the content delivery network (CD)B) used by the Washington Post:

“We hacked InStart CDN service, and we were working on hacking the main site of Washington Post, but they took down the control panel. We just wanted to deliver a message on several media sites like Washington Post, US News and others, but we didn’t have time :P.”

Chances are that Instart Logic was itself hacked through a combination of phishing and social engineering, the elementary but effective tricks most commonly used by the Syrian Electronic Army to break into systems and steal passwords.

In short, the Washington Post‘s own systems were not hacked, but those of one of their technology providers was.

The public impact, however, is the same. As far as visiting readers were concerned they visited the newspaper’s website from their mobile phone and saw unauthorised comment claiming that the site had been hacked. That, clearly, is not good for a newspaper brand’s image.

Washington Post chief information officer Shailesh Prakash confirmed the security breach, and reassured readers that no data had been stolen and that the situation was now under control:

“The Washington Post`s mobile homepage and some section fronts on the mobile site were redirected to a site that claimed to be run by the Syrian Electronic Army. The situation has been resolved and no customer information was impacted.”

The message is clear. Not only do you need your own systems to be hardened against malicious hackers. You also need to ensure that your third-party suppliers are also taking security seriously. Otherwise, it could be your company’s name that is appearing in the hacking headlines.

tags


Author



Right now

Top posts

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

November 29, 2022

2 min read
How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read
Cyber Tips for a Spook-Free Halloween

Cyber Tips for a Spook-Free Halloween

October 26, 2022

3 min read
August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Hacking cars remotely with just their VIN Hacking cars remotely with just their VIN
Graham CLULEY

December 05, 2022

2 min read
Russian courts attacked by CryWiper malware that poses as ransomware Russian courts attacked by CryWiper malware that poses as ransomware
Graham CLULEY

December 05, 2022

2 min read
Android App in Google Play Store Was Harvesting SMS Messages Helping Criminals Create New Accounts Android App in Google Play Store Was Harvesting SMS Messages Helping Criminals Create New Accounts
Silviu STAHIE

December 02, 2022

1 min read