While you were taking it easy this weekend, over one million pages on hundreds of websites were taken over by hacker group Anonymous and made to display a contentious political message. Though the attack was quickly contained, many Israeli corporate websites, including those of Coca-Cola, Groupon, Toys R Us, McDonald’s, and Fiverr, were affected (to be precised, all websites were the local domains of .co.il address, so mcdonalds.co.il, cocacola.co.il etc., but it also included international Fiverr.com with 40 MM monthly visitors). Had a few sharp security researchers not quickly detected the vulnerability and its embedded ransomware code, the economic damage could have cost millions, if not more.
Programmer and security expert, Ran Bar Zik, reported that the vulnerability was first posted on Twitter by researcher Yuval Adam, known for his activity with Cryptoparty. Anyone surfing on one of over a million webpages affected by the breach at the time, would have seen the following message:
The vulnerability, which included malicious code with an embedded link that downloads ransomware to the users’ computer, was due to a third party accessibility plug-in for the disabled, used across many Israeli websites. Luckily the takeover, and more importantly the ransomware, were both quickly contained by removing the plug-in.
The above screen capture shows over 1 million Israeli pages were affected by a third party plug-in vulnerability.
Despite many prior warnings about the accessibility plug-in’s extremely lax-security, no action was taken by the developer, nagich.com, resulting in a loophole that ultimately affected over 1 million pages, marking a substantial achievement for the hackers, despite the fact that the vulnerability was quickly resolved without major economic impact.
How Anonymous Hacked the Third Party Plugin
The hackers were able to replace the accessibility plugin with malicious JavaScript code that displayed the controversial political message, and embedded a link that downloads ransomware to the users’ computer. Though at first not all researchers were able to detect the problem, a change to the DNS server produced the vulnerability.
By taking control of DNS server records, Anonymous was instead able to redirect traffic to one of its servers. As more DNS servers began to produce the vulnerability, more surfers began seeing the message.
All in all the issue was resolved in under an hour; but it demonstrated the risk of using an unsecured third party plug-in across so many websites. It was lucky that the hackers decided to make the attack about a contentious political message rather than focusing on economic damage, which would have resulted in much greater harm. As little as a basic Java script is all it takes to create wide-spread havoc on so many sites.
document.write(‘<body bgcolor=black><center><h1><font color=red>Jerusalem is the capital of Palestine<br>#OpJerusalem</font></h1></center>’)
Researcher Noam Rotem, who also helped spot the breach, recently discussed the risks of working with third party software in a podcast, much like the accessibility plug-in exploited by Anonymous.
Lessons Learned
The brief yet significant attack drives home the message that using third party plug-ins leaves sites open to undetected vulnerabilities. Website administrators should be wary about using such third party plugins, and the general public is urged to keep their antivirus software up to date.
Luckily all major brands of antivirus were already aware of and defending against the ransomware used by Anonymous in this particular takeover.
Past reports
You may also want to read past reports: how to hack ethically, an IOT security breach in hospitals and major supermarkets, and a security breach that affected nearly half of all airlines worldwide.
Published on: Mar 3, 2019