Categories: SecurityWorkspace

Syrian Electronic Army Claims ShareThis.com Hack

The Syrian Electronic Army (SEA) is continuing its campaign of attacking online media sites by way of third-party widgets with an alleged attack last week against ShareThis.com. The SEA is a group with ties to Syrian President Bashar al-Assad and last week was implicated in an attack that redirected traffic from The Washington Post.

Jaeson Schultz, threat research engineer for Cisco’s Threat Research and Communications (TRAC) Team, first disclosed the incident on 22 August, based on an analysis of Domain Name System (DNS) records for ShareThis.com.

Security breach or not?

ShareThis.com, which did not respond to a request for comment from eWEEK by press time, is a widely used third-party tool that appears on many websites, enabling users to easily share a given page with social networking tools.

After the data was published on the Cisco Security Blog, more information was released by the Syrian Electronic Army themselves, Schultz told eWEEK.

“This included some screen shots of email conversations in which the administrators of ShareThis.com admit their GoDaddy domain account was compromised,” Schultz said.

On 21 August, ShareThis.com tweeted that it was experiencing some technical difficulties. At 10:21 a.m. on 22 August, ShareThis tweeted that it was back up. Schultz’s analysis shows that ShareThis.com’s DNS nameserver records were changed with its host GoDaddy.com

From GoDaddy’s perspective however, there was no breach. “While we can’t get into specifics on a particular customer account [out of respect for their privacy], I can tell you our systems performed exactly as designed,” GoDaddy spokesperson Nick Fuller told eWEEK. “There was no security breach.”

Spear phishing

Schultz suspects that this attack most likely occurred as many of the SEA’s previous attacks: a successful spear-phishing attack followed by culling valuable data from the compromised inbox. As was the case with The Washington Post issue last week, where a third-party widget from Outbrain redirected users to an SEA site, the same type of redirection was likely occurring with the alleged ShareThis.com incident as well.

“While the possibility exists that something more malicious occurred, we have seen no evidence of anything but simple redirection,” Schultz said. “The motivation of the SEA seems to be site defacement rather than end-user compromise.”

ShareThis regained control over their GoDaddy account sometime in the morning of 22 August, and returned the nameservers for their domain to their proper settings, Schultz said.

“There is no indication that the SEA has access to the ShareThis GoDaddy account any longer,” Schultz said. “However, since the SEA had access to an email account at ShareThis.com, then it’s possible there are other credentials they found, or even other information they can use in future spear-phishing attacks on ShareThis’ business partners.”

Site owners can tap steps to mitigate the risk of being a victim of a similar kind of attack. First off, Schultz recommends that site owners make sure they aren’t storing sensitive information, such as domain account credentials or other passwords inside email inboxes.

External account protection

Secondly, he suggests that for any sensitive external accounts (social media, domain registration) site owners should take full advantage of all available security features such as account password reset questions and two-factor authentication.

Schultz also recommends that site owners monitor their websites for unexpected changes, and monitor their web statistics for unexpected drops in traffic. Educating employees to not always click on links in email is also a good idea.

“Extra alarm bells ought to go off in your head if a link you click takes you to a page where you are prompted to enter a user name and password,” Schultz said. “The only time you should type in your user name and password is when you have entered the URL into the location bar yourself.”

Do you know all about IT and the law? Take our quiz.

Originally published on eWeek.

Sean Michael Kerner

Sean Michael Kerner is a senior editor at eWeek and contributor to TechWeek

Recent Posts

Northvolt Mulls US Bankruptcy Protection – Report

Troubled battery maker Northvolt reportedly considers Chapter 11 bankruptcy protection in the United States as…

2 days ago

FTC Plans Investigation Into Microsoft Cloud Business – Report

Microsoft's cloud business practices are reportedly facing a potential anti-competitive investigation by the FTC

2 days ago

Programmer Sentenced To Five Years In Prison For Bitcoin Laundering

Ilya Lichtenstein sentenced to five years in prison for hacking into a virtual currency exchange…

3 days ago

Hate Speech Watchdog CCDH To Quit Musk’s X

Target for Elon Musk's lawsuit, hate speech watchdog CCDH, announces its decision to quit X…

3 days ago

Meta Fined €798m Over Alleged Facebook Marketplace Violations

Antitrust penalty. European Commission fines Meta a hefty €798m ($843m) for tying Facebook Marketplace to…

3 days ago

Elon Musk Rebuked By Italian President Over Migration Tweets

Elon Musk continues to provoke the ire of various leaders around the world with his…

3 days ago