

Reuters hacked - pdeva1
http://www.reuters.com/article/2014/06/22/us-iraq-security-idUSKBN0EX0BJ20140622

======
thaumaturgy
Generally not a good idea to link directly to a hacked page.

There's a bit of code injected into the page near the bottom:

    
    
        document.write("<SCR"+"IPT TYPE='text/javascript' SRC='" + "http" + (window.location.protocol.indexOf('https:')==0?'s':'') + "://js.revsci.net/gateway/gw.js?csid=I07714' CHARSET='ISO-8859-1'"+"><\/SCR"+"IPT>");
    

js.revsci.net seems to be redirecting some requests to localhost, so the code
isn't loading for everyone. If it loads for you, you get redirected to a big
"hacked by the Syrian Electronic Army etc. etc." page.

The location of the code doesn't look like it was from a malicious ad or
social media thingy. Looks like it's near the bottom of the page template, so
that's neat. It's embedded in other unrelated articles too.

edit: I was able to retrieve the content from elsewhere. It's up at
[http://pastebin.com/rzPeKKMH](http://pastebin.com/rzPeKKMH) \-- it's not just
doing a redirect, there's some funky stuff in there.

~~~
beejiu
Are you sure this is the malicious code? It looks like the standard Audience
Science code, to me. Perhaps they or their CDN was hacked, or a malicious ad
was placed on the advertising network?

~~~
thaumaturgy
Nope, not positive, and matheusbn posted an article saying it was something
else:
[https://news.ycombinator.com/item?id=7928052](https://news.ycombinator.com/item?id=7928052)

------
matheusbn
It wasn't a problem inside reuters, but their 3rd party provider called
(Taboola), which injects ads on reuters. So once taboola hacked, the ads
system started injecting a script to redirect that page to another one.

Source: [https://medium.com/@FredericJacobs/the-reuters-compromise-
by...](https://medium.com/@FredericJacobs/the-reuters-compromise-by-the-
syrian-electronic-army-6bf570e1a85b)

------
jamescun
It seems that Reuters has rectified the problem now. Previously it was
redirecting to a page hosted by the Syrian Electronic Army.

Also a reminder to not link directly to hacked pages but to perhaps a
screenshot and put the real link in the comments, as we don't know if there
could be malicious javascript et al injected into the page.

------
lesingerouge
Anybody have any idea about how they did it? Sorry for the noob question but I
can't really figure out how they did it, since the original page loads fine
and only after this there's some kind of redirect.

And as I can see it only affects certain pages so maybe there's a compromised
component that's loaded on those pages?

------
fchollet
I am seeing the expected Reuters article. Mind explaining what is supposed to
happen when loading this page?

------
anupshinde
Just curious: What is this hacking technique called? seems to be some kind of
JS injected redirection.

~~~
ShaneCurran
Injecting tags and JS scripts in to a page usually falls in to the XSS
category of attacks although it is not clear how it was done in this
particular case.

------
FredericJ
I wrote a post about what happened: [https://medium.com/@FredericJacobs/the-
reuters-compromise-by...](https://medium.com/@FredericJacobs/the-reuters-
compromise-by-the-syrian-electronic-army-6bf570e1a85b)

------
buster
What is supposed to happen? Seems to be some article...

~~~
sehr
After the page loads, you are redirected to the Syrian Electronic Army web
site.

Specifically this page: [http://imgur.com/CkIFBmY](http://imgur.com/CkIFBmY)

------
thomasfromcdnjs
It's fixed now. It was linking to
[http://sea.sy/indexs/](http://sea.sy/indexs/)

