SEATTLE – Rather than directly attack the Washington Post, Time and CNN, hackers from the Syrian Electronic Army (SEA) this morning seeded infections on recommendation site, Outbrain, knowing full well that the media giants were trusted partners of Outbrain.
That innovation should send shivers through U.S. media companies, as it exposes a vast security weakness intrinsic to the loose-knit trust relationships on which online promotions and advertising has been built.
Third-party partnerships to promote content and direct advertising to specific audiences undergird the multibillion-dollar online advertising industry. Behavior-aware advertising relies on a multi-layered web of players — ranging from the media and tech giants to thousands of third-party app developers and smaller ad networks. And it turns out that this Internet-enabled collaborative effort to match your web surfing habits to things you might buy is wide open to the spreading of malicious coding.
Backgrounder: Profile of the Syrian Electronic Army
“From a hackers perspective, this represents a soft attack vector for compromising high value and prestige web sites – and we can expect them to be targeted with increased vigor over the next few years,” says Gunter Ollmann, chief technology officer at IOActive.
There are some 20 Chinese hacking collectives already taking advantage while striving to remain stealthy as they pilfer intellectual property from Western corporations.
“We see the Chinese doing this all the time,” says Adam Meyers, vice president of intelligence at security start-up CrowdStrike. “When you can’t get into the target, you focus on a partner or customer and leverage that trust relationship.”
The SEA is more like the Islamic hacking group — Cyber Fighters of Izz ad-Din al-Qassam — responsible for bedeviling U.S. banks. The aim of these groups is to disrupt Western commerce – and they almost always boast loudly, says Darien Kindlund, manager of threat intelligence at network security firm FireEye.
The SEA clearly took pains to analyze the supply chain partners of the media giants, which anybody is free to do. It’s a simple research task to find out which of the gargantuan online ad networks, run by Google, Yahoo, AOL and Microsoft, any given media company uses.
And with a bit more digging, anyone can discover which of the thousands of smaller ad networks and third party affiliates, like Outbrain, are looped in.
“You can go through and see which are the most vulnerable and which ones have the highest presence on the most news media sites,” says Kindlund. “If I were a large media organization I’d want to review all of the trust relationships I have with ad partners and make sure none of them are vulnerable in the same way as Outbrain.”
Media companies may as well start budgeting to spend more on tighter security.
“The truth is, media corporations traditionally do not budget a significant amount of money to protect themselves from these sorts of attacks,” says John Prisco, CEO of computing devices security company Triumfant. “Unlike some industries that stress protection like financial services, media corporations don’t, so therefore they are easy pickings.”