The Telegraph disabled its social media sharing buttons during the attack by the Syrian Electronic Army (SEA).
According to a source who chose to remain anonymous, there was a suggestion that those services were being used to hijack the news websites. “Most of the sites affected use Gigya for comments, but we use Disqus, so it cannot have been that in [this] case,” they said.
The source said that the widgets were switched off and unavailable during the attack, in a possible attempt to stop the effort. A spokesperson for the Telegraph said: “As this functionality is not essential to the delivery of our sites, it was decided that the links would be temporarily removed to provide the cleanest and best experience for our customers.”
Andrew Barratt, CEO of Coalfire, suggested that this action may have been taken as social media buttons have been a cross-site scripting vector in the past, which has led to social spamming, and it is often used as first point to start attacking social media credentials in order also.
Steve Lord, technical director of Mandalorian, said that it appears that the Telegraph does use Gigya and are still using it to power the social media widgets. “That’s why it would’ve been turned off,” he said.
As many as 100 websites were affected by the DNS redirect, which was enabled by changing the domain name server (DNS) settings of the shared website provider. Gigya confirmed to the BBC that the hackers had mounted the attack by changing its domain name system entry and by changing some of Gigya’s domains, which were registered with GoDaddy. This enabled the hackers to redirect visitors to their own webpages, or alternatively activate pop-up messages.
Jason Steer, director of technology at FireEye, told IT Security Guru that for DNS registrars, it could be catastrophic given everything is reliant upon it these days. “I am shocked at how easy it was for them to redirect the DNS and luckily for them, the SEA don’t have any ulterior motive than to promote Assad,” he said.
He said he expected that websites such as the Telegraph would have the fundamental security basics done, especially where there is interaction with users.
Steer suspected that Gigya was the target as a lot of people were off work in the US due to Thanksgiving, but what did not understand was how some websites were redirected to Javascript and some to a page. “It seems that there is not one consistent theme to what happened, and I am confused as to why there are two directions,” he said.