On August, 14th, Outbrain’s widget configuration tools were compromised by a phishing attack performed by the Syrian Electronic Army. Below is a rundown of what happened and the steps Outbrain performed to eliminate the threat and avoid future incidents.

What Happened:

On the evening of August 14th, a phishing email was sent to all employees at Outbrain purporting to be from Outbrain’s CEO. The email contained a link from a prominent news source, which redirected to a page asking Outbrain employees to input their credentials. At least one Outbrain employee was impacted, allowing an organization called the Syrian Electronic Army (SEA) to infiltrate our widget configuration tools.

Once they logged in, the SEA was able to change the widget settings on four of our publishing partners.  The changes to two of them looked like this:

and on the other two, traffic was redirected the traffic to the SEA website:

 

Here is the timeline of events on August, 15, 2013: (all times are EST)

8:40am  SEA began making configuration changes

10:23am  SEA took responsibility for hack of a specified news organization, changing a setting through Outbrain’s admin console to label Outbrain recommendations as “Hacked by SEA.”

10:34am Outbrain internal staff became aware of the breach

10:40am Outbrain network operations began investigating and decided to shut down all serving systems and block all external access

11:03am All systems were shut down

11:50am First communication sent to our clients alerting them that service is suspended

1:51pm Second client communication alerting them of the attack

4:47pm  Third client communication reassuring our customers the system was secure and that the majority of our customers with not affected

6:30pm  System audit completed

7:30pm  Outbrain service restored and clients were notified

What steps did we take to guarantee there would be no further system breaches?

- The entire Outbrain service was shut down from serving on our client sites

- All external VPN access was shut down

- All passwords to access Outbrain’s tools were eliminated

- Passwords to internal administration tools were reset

- All employees were required to changed their email passwords and set double verify protection

What made us confident it was ok to relaunch the service?

- We were able to identify the changes the SEA had made

- We identified affected sites and rolled back any changes that were made

- Verification that no SEA changes were left in the system

-  Verification that no changes were made to any production code or database systems

What steps are we taking to prevent further attacks:

- Enforcement of double verification method for access to email for all employees

- Employed a forensic firm in addition to our current auditing service to review this incident

- Removing functionality to prevent further script injections

- Ongoing hourly scan to verify the code base has not been modified

- Instituting staff training on how to detect and avoid scams

Outbrain’s system was compromised as a result of a simple phishing attack.  Our system was not hacked, firewalls were not infiltrated and no personal or customer data was taken.

We hope that this information will help our customers better understand what measures we have put in place to ensure this sort of thing will not happen again and help educate the community about how to mitigate the risk from groups like the SEA.