A large-scale takeover of major brand-name websites, including NBC.com, The Independent and NHL.com was recently exposed. The cyber threat actor responsible was the infamous Syrian Electronic Army (SEA). The SEA did not hack NBC nor any other of the affected organizations directly; instead, they were able to hack into the DNS registry of a shared vendor. The vendor, a company called Gigya, specializes in identity management and offers a third-party code library that website developers can install on their sites. The result was traffic redirection to a .js file that notified the site visitor that the SEA was now in control of the site.
Gigya's service is a customer identity management platform. This allows site visitors to access sections of websites that are typically password protected without having to re-login each time.
Instead of attacking Gigya's code library, the SEA was able to hack Gigya's DNS entry at GoDaddy. From there, they redirected Gigya's content delivery network (CDN) to infrastructure controlled by the SEA. This infrastructure was hosting a .js file with a message notifying the website had been hacked.
The exact motive and end game of this attack are still being debated. However, the result is a black eye on the websites affected and yet another example of breakdown in the virtual supply chain many large websites have come to rely on.
Gigya's weaknesses became the weakness of its customers, which happened to be many of the world's largest and most influential websites. By taking over the DNS entry of Gigya (third-party vendor), cyber thieves took control of visitors' browsing sessions. Every time Gigya's CDN URL was called to a webpage, the end users were instead re-routed to SEA controlled infrastructure.
Internet security is never a certainty nor ironclad; it is an ongoing process with many cyber threat actors heavily investing in exploiting every facet of it. There was nothing unique to Gigya other than its customer base. All any cyber thief would need to perform the same type of hack is login credentials.
Many other third-party controlled code libraries exist; some belong to startups, some are open-source based, and some are small parts of major enterprise organizations. Most of their services are hosted and served up off premise in a cloud-based, SaaS platform. The web developers who use these services have no insight into the security practices of each of these organizations. They pull down third-party code into their visitors' web sessions at their own peril.
The reality is security experts have very little visibility into what's truly happening session by session to site visitors. There just aren't many tools for this. And there are treasure troves of valuable data to pilfer off of individual computers, smartphones and tablets. Therefore, innovations are being made, just on the wrong side!
In the SEA attack, the .js file could've just as easily been a piece of malware that could've been spread to thousands or even millions of visitors before being detected.
RiskIQ's suite of enterprise services is designed to solve this cyber threat. RiskIQ for Web is designed to detect embedded malware while it's attempting to infect site visitors. We do this by sending out a massive army of virtual users that are configured to look and act like real human users on devices.
Each virtual user can emulate a computer or smartphone. Their purpose is to experience live websites as a real user would. If they become infected during a scan, they can pinpoint the source of the infection using full DOM capture to recreate the infection and rebuild the causality chain for forensics purposes.
In the SEA attack, the actual brands affected could set up up alerts through the real-time asset discovery tool in our RiskIQ for Web product. More importantly if and when this were a cyber attack used to spread dangerous malware, our virtual users would detect it and take pre-determined actions in order to eliminate the cyber threat.
For more information on the details of the account and RiskIQ's take on it, see here.