Syrian Electronic Army 'hack' impacts websites worldwide
Posted November 27, 2014
Raleigh, N.C. — A Thanksgiving morning hack by the group calling itself the Syrian Electronic Army blocked access for several hours to hundreds of sites across the globe, including WRAL News.
Technology experts say no user data was exposed, but visitors to affected sites saw a pop-up message attributing the hack to the SEA, which redirected automatically to an image of the group's logo.
The problem originated not from the websites themselves but from a widely used service called Gigya, which allows sites to integrate user logins from services like Google and Facebook. On Twitter Thursday, the hacker group posted an image of Gigya's domain details claiming credit for the exploit.
Gigya is employed by more than 700 websites, including retailers and news organizations, and the hack reportedly affected large, international media organizations like Forbes, The Guardian and others.
In a message to users around 9:30 a.m., Gigya officials said they resolved the issue after identifying the origin of the exploit as a breach of their domain registrar, GoDaddy.com, around 6:45 a.m. After breaking in, it appears the SEA changed settings for Gigya's domain name service, which routes users to correct locations online.
"It's sort of like a telephone directory," said Jeff Crume, a Raleigh-based IT security architect and author of Inside Internet Security: What Hackers Don't Want You to Know. "You look up a name and it tells you a number."
The altered DNS settings allowed the group to reroute users to the SEA logo through the embedded Gigya code loaded into hundreds of sites worldwide.
WRAL News was also affected by the hack, which was discovered on the site around 8 a.m.
"For less than two hours this morning, some visitors to WRAL.com received either a popup message that the site had been hacked by the SEA or were redirected to a site with the SEA seal," said WRAL.com General Manager John Conway. "We worked quickly to diagnose the issue and disable the Gigya sharing service that made us vulnerable."
Conway said the hack apparently did not expose visitors who saw the message to any files that would harm their computers, tablets or smartphones.
But it could have been much worse if the attackers had chosen to redirect users to a site that downloaded malware. At this point, Crume said, he considers it "a bullet dodged."
"Based on the information that's publicly available at this time, there's no threat from this particular version of this attack," Crume said. "But it could have very easily been a threat."
Reportedly supported by the regime of Syrian President Bashar al-Assad, the SEA is active on social media and has claimed responsibility for a number of attacks on high-profile websites, often as a way of generating publicity.
Crume said that publicity might account for the timing early on Thanksgiving morning.
"In this case, it's clear what they were trying to do was a public relations type of situation," he said. "They were trying to rattle some cages."