Syrian Electronic Army Hackers Deface Western News Sites

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Remember the Syrian Electronic Army?

The pro-Assad hacker group was extremely active just over a year ago, hacking the Truecaller global phone directory, the support Web site for the Viber messaging app, the personal Gmail accounts of three White House staffers, the U.K.'s Channel 4 blog site, Forbes' Web site, the content recommendation service Outbrain, the domain registrar Melbourne IT, the international news site GlobalPost, and the Twitter, Facebook and WordPress accounts for Skype. And when the hackers took over the Associated Press' Twitter account in April 2013 and posted a tweet claiming that Barack Obama had been injured, the Dow Jones Industrial Average plunged 143 points in response.

Now, after staying out of the limelight for a while, the group is back at it.

On Thanksgiving Day 2014, the hackers hit the Gigya comment platform by breaching Gigya's account at domain registrar GoDaddy and configuring its DNS server to redirect visitors to a site under the Syrian Electronic Army's control.

"Happy thanks giving, hope you didn't miss us," the group tweeted.

The hackers stated that the attack was launched in response to what they described as "reporting of the Syrian air strikes in Raqqa hit civilians, while the truth the strikes hit the ISIS terrorists."

According to the group, sites impacted by the attack included Aljazeera, Boston.com, the Chicago Tribune, CNBC, CNN Money, the Dallas Morning News, Dell, DirecTV, the Evening Standard, the Hartford Courant, Logitech, the Los Angeles Times, Microsoft, National Geographic, NBC, the New York Daily News, Office Depot, the Baltimore Sun, the Guardian, the Independent, and Verizon Wireless.

In response to the attack, Gigya CEO Patrick Salyer stated on November 27, 2014, "At approximately 6:45 AM EST we identified sporadic failures with access to our service. An initial inquiry has revealed that there was a breach at our domain registrar that resulted in the WHOIS record of gigya.com being modified to point to a different DNS server. That DNS server had been configured to point Gigya’s CDN domain (cdn.gigya.com) to a server controlled by the hackers, where they served a file called 'socialize.js' with an alert claiming that the site had been hacked by the Syrian Electronic Army."

"To be absolutely clear: neither Gigya’s platform itself nor any user, administrator or operational data has been compromised and was never at risk of being compromised," Salyer added. "Rather, the attack only served other JavaScript files instead of those served by Gigya."

The Dallas Morning News, one of the victims of the attack, reported that site visitors who tried to post comments on news stories between 6:30am and 9am on the day of the attack received a message stating, "You've been hacked by the Syrian Electronic Army (SEA)," and were then redirected to an image of the group's logo and a Syrian flag.

Dallas Morning News digital publisher Nicki Purcell said it's important to understand that no user data was compromised. "My biggest concern is that users who saw that message will believe they've somehow been hacked," she said. "We have no indication this is the case."

The hackers themselves echoed those sentiments, tweeting, "We're the good guys so this was harmless but just in case the bad guys copy us, use NoScript with Firefox: noscript.net"