Skip navigation

Malicious Hackers Take Over Media Sites via Content Delivery Network Providers

Content delivery network providers are now targets of malicious hackers, as the brief Washington Post mobile site takeover exemplified. Last week, the Syrian Electronic Army (SEA) struck again, attacking the major news media outlet for a second time via one of their third-party tech providers, sending custom push notifications to their readers.

First - what is a content delivery network (CDN)? It’s a network of distributed servers that use geographic location as a criteria for delivering web pages and other web content to users. When a user requests to view a web page on a news site, a server node closest in proximity to the user delivers the cached website content quickly (low latency and high data transfer speeds mean faster download times) and reliably (high availability).

Geo-targeting also allows content providers to serve up different versions of web pages based on a user’s location. Amazon Web Services (AWS) provides a content delivery web service, Amazon CloudFront, as do many other cloud and data hosting providers.

News media companies that run their businesses based on breaking news and a high volume of content will contract with CDN providers to deliver content to their audience. It’s the traditional hosting provider infrastructure as a service (IaaS) business model, but specifically tailored to clients with a lot of content/web pages. The news media company (like the Washington Post) benefits by offloading the work and costs of running a data center or cloud to a content delivery network.

But, like any third-party provider, this relationship opens up content providers to potential security risks. If their CDN provider falls prey to simple one simple phishing attack, then their news domain can be hijacked, giving attackers like the SEA the ability to customize their own messages to send to millions of readers.

Security researcher Kenneth White tweeted a photo of the mobile site source code, which proclaimed “Hacked by SEA” (see below).

Washington Post Mobile Site Hacked

Vice.com reported on the SEA’s pop-up alerts they sent via the Washington Post mobile site with messages like “The media is always lying” and other politically-laden statements:

Washington Post Hack

The SEA hacked the mobile site via their content delivery provider, Instart Logic, who defines their content delivery solution as a software-defined application delivery service (SDAD) for mobile and cloud apps. Instart Logic provides a new type of CDN that relies on the virtualization of applications in the web browser in order to deliver faster web app performance on mobile devices by resizing, compressing and optimizing images and other content on web pages, as well as using HTML streaming.

If a traditional CDN uses caching to deliver content faster, then a cloud-based one relies instead on a thin virtualization layer that sits between the browser APIs and the website or web app, which Instart Logic calls their Nanovisor.

I find all of this innovation very interesting, as do many others, apparently, as they’ve just secured a Series D round of funding with hopes of disrupting the CDN industry. But, like any software as a service (SaaS) tech startup, security should also be top of mind for these types of companies, particularly as they deliver content from some of the biggest news media companies in the business.

Many other news media attacks perpetrated by the SEA leveraged access via other types of third-party service providers, as was seen in a 2013 attack against the online sites of the Washington Post, CNN and Time. The attackers targeted Outbrain, a content discovery platform provider that produces the embedded content-sharing widget seen at the bottom of articles, linking to related articles around the web.

The SEA sent a phishing email to Outbrain in order to steal employee credentials, gain access to their internal systems and change admin settings for the news outlets. Then, they changed URLs in the widgets to redirect Washington Post readers to SEA-controlled sites.

If a solution lacks sufficient security, then it’s kind of pointless. On their website, Instart also touts a security suite of web application firewalls and DDoS protection, but the real question is, do they have strong authentication controls in place internally to protect their company and their clients from a low-tech phishing attack? Shifting the focus to access security, a two-factor authentication solution can stop attacks at the front door by requiring the use of a personal device in order to log into any application or service.

Learn more by reading our Two-Factor Authentication Evaluation Guide.

Read more about information security guidelines for the industry in Redefining Information Security for Journalists & the Media.

Thu Pham

Information Security Journalist

@Thu_Duo

Thu Pham covers current events in the tech industry with a focus on information security. Prior to joining Duo, Thu covered security and compliance for the infrastructure as a service (IaaS) industry at Online Tech. Based in Ann Arbor, Michigan, she earned her BS in Journalism from Central Michigan University.