Hackers sympathizing with the embattled government of Syrian president Bashar al-Assad attempted but failed to carry out what might have been a significant attack against the Web hosting company Wix.com in recent weeks, the security firm that helped thwart it said.
According to a forthcoming report from the security firm Adallom, shared with Re/code, the attack was likely carried out by the Syrian Electronic Army, a group that has a history of hijacking the websites and social media accounts belonging to media organizations in the U.S. and the U.K. Its victims have included Forbes, the Financial Times and The Onion, and its attacks have been intended to spread propaganda favorable to the Assad regime.
Adallom, based in Palo Alto, Calif., and Tel Aviv, specializes in securing the data in cloud software applications. The firm said the attackers first sought to compromise Google Apps accounts belonging to Wix employees, and employed a previously unknown tactic to get around Google’s two-factor authentication scheme to do it. Had the attack been successful, websites belonging to more than 60 million Wix customers would have been compromised.
The attack also represents an indicator of an evolution in tactics that hackers are developing as companies shift away from using traditional software to using applications and services that run in the cloud, where increasingly sensitive troves of data and corporate information are stored. No malware was used in the attack. Instead the hackers sought to use Google Apps as the springboard to a more ambitious attack against the sites hosted on Wix.
“The entire attack happened in the cloud and was carried out in the cloud,” said Tal Klein, a VP at Adallom. “It’s the first time we’ve seen an attack like this so fully formed and executed in the cloud.”
Eric Mason, a spokesman for Wix, confirmed the attack in an interview, but said that it failed and that no customers or Wix-hosted sites were affected. For a short time, a small number of Google Apps accounts belonging to Wix employees were compromised.
The incident began with phishing attacks — emailed links that appeared to be legitimate and which contained links to what appeared to be a YouTube video. Anyone who clicked on the link in the phishing emails was served up with what appeared to be a Google login page. And since the attack was carried out against Wix employees based in Tel Aviv, the fake login page was in Hebrew. Phishing is a type of social engineering attack, essentially tricking the target of an attack into clicking on an unsafe link or installing unsafe software on their system by masquerading as a message from a known person.
But here’s where it gets a bit spooky: The fake login sequence included a legitimate-looking space to enter the six-digit numerical codes associated with Google’s two-step verification process, which generates a number every thirty seconds on a user’s smartphone; it is used essentially as a second password.
Klein says the fake login page contained code that captured the user name and password as well as the six-digit number. Then, during the 30 seconds or so that the two-step number was still good, it sought to log in to the user’s Google Apps account, all in an automated process that took only seconds to carry out.
The phishing email, Adallom says, was sent from a spoofed address but appeared to have come from another Wix employee or executive, which is a typical tactic of phishing attacks.
“This was a tailored attack that took advantage of Google’s two-step verification system in a creative way,” Klein said.
Google declined to comment specifically on the incident. A Google spokeswoman sent the following statement: “The security and privacy of our customer information is very important to us. We work with our Google Apps customers to ensure they have the products, tools and visibility to secure their accounts and respond to threats.”
A source familiar with the matter said that Google Apps accounts belonging to only a single-digit number of employees were compromised out of 1,400-odd Wix employees, and Google was able to regain control of them quickly.
Adallom said the techniques and also some IP addresses associated with the attack suggest that the it was attempted by the Syrian Electronic Army, though Klein conceded the firm can’t prove that completely. The attack matches almost exactly one against the satirical newspaper The Onion that occurred in 2013. Another attack carried out last year against the global news service Reuters and said to have been the work of the SEA involved a compromise of Taboola, an advertising network.
The ultimate target of the failed attack on Wix, Klein said, was an employee in Wix’s IT department, one responsible for running its domain name registrations. One possible motivation, Klein said, might have been to change Wix’s DNS settings. Since DNS servers bridge the gap between Web addresses like recode.net and numerical IP addresses, a change in Wix’s DNS settings might have redirected visitors to Wix-hosted sites the attackers had prepared with their own information. This is exactly what the SEA did with the website of the New York Times in 2013 with some limited success.
In the end, the attack was detected, Wix and Google were both notified and the efforts of the attackers came to naught. As Adallom’s report on the incident says: “All in all, there’s no jaw-dropping moment here — but rather a collection of inexpensive,