Syrian Electronic Army Hacks ShareThis GoDaddy Domain

Cisco Systems’ Jaeson Schultz noted in a blog post that the SEA has cracked the ShareThis platform.
Cisco Systems’ Jaeson Schultz noted in a blog post that the SEA has cracked the ShareThis platform.

Cisco Systems’ Jaeson Schultz, threat research engineer for Cisco's Threat Research and Communications (TRAC) team, noted in a blog post that the SEA has cracked the ShareThis platform. ShareThis is essentially a publishing tool that provides a mechanism for web surfers to share content online through a customizable widget. Its reach is broad: ShareThis says on its website that it interacts with “more than 94% of US internet users across more than 2 million publisher sites and 120+ social media channels.”

Earlier in the week the site reported technical difficulties, which were resolved by the next morning. “They posted a follow-up tweet the morning of August 22 declaring that the service was functioning properly,” Schultz said. “What ShareThis did not disclose however, was that their GoDaddy domain account was compromised by the Syrian Electronic Army.”

In his investigation, Schultz used a whois lookup to see where the “sharethis.com” domain name is registered to (GoDaddy) and where its name servers point to (Akamai). However, during the outage on August 21, the name servers for sharethis.com were pointed to name servers used by the SEA.

The compromise follows a similar attack by the SEA on Outbrain last week, in a compromise that allowed the group to target major US news sites, including CNN, Time and the Washington Post, redirecting their traffic to the SEA website. Outbrain provides an article recommendation engine for distributing online content.

Hacking content management platforms is an efficient and savvy way for the SEA to carry out its mission. The approach means that hackers can gain access simultaneously to several targets, by breaching a single supplier.

“This presents an interesting security dilemma for media organizations and their visitors,” Schultz said. “Essentially, being only as strong as their weakest link, media sites depending on third-parties for content have increased the chances of their users being compromised by attackers.”

Schultz noted that there are precautions users can take when visiting media sites.

“Using a browser plugin such as RequestPolicy is one tool that can help keep you safe,” he wrote. “This Firefox plugin restricts your browser to only load content from the domain located in the address bar. You can right click to bring up a menu which enables you to load specific third-party content you wish to allow.”
 

What’s Hot on Infosecurity Magazine?