15 comments

[ 2.9 ms ] story [ 38.4 ms ] thread
Just curious: What is this hacking technique called? seems to be some kind of JS injected redirection.
Injecting tags and JS scripts in to a page usually falls in to the XSS category of attacks although it is not clear how it was done in this particular case.
What is supposed to happen? Seems to be some article...
Indeed. I think whenever 'hacked sites' stories are posted here, the poster should include a screenshot given that the site will likely be fixed very quickly.
I am seeing the expected Reuters article. Mind explaining what is supposed to happen when loading this page?
Anybody have any idea about how they did it? Sorry for the noob question but I can't really figure out how they did it, since the original page loads fine and only after this there's some kind of redirect.

And as I can see it only affects certain pages so maybe there's a compromised component that's loaded on those pages?

Generally not a good idea to link directly to a hacked page.

There's a bit of code injected into the page near the bottom:

    document.write("<SCR"+"IPT TYPE='text/javascript' SRC='" + "http" + (window.location.protocol.indexOf('https:')==0?'s':'') + "://js.revsci.net/gateway/gw.js?csid=I07714' CHARSET='ISO-8859-1'"+"><\/SCR"+"IPT>");
js.revsci.net seems to be redirecting some requests to localhost, so the code isn't loading for everyone. If it loads for you, you get redirected to a big "hacked by the Syrian Electronic Army etc. etc." page.

The location of the code doesn't look like it was from a malicious ad or social media thingy. Looks like it's near the bottom of the page template, so that's neat. It's embedded in other unrelated articles too.

edit: I was able to retrieve the content from elsewhere. It's up at http://pastebin.com/rzPeKKMH -- it's not just doing a redirect, there's some funky stuff in there.

Could you try grabbing that again? When you pasted it it looks like linebreaks were added. I'm trying to deobfuscate it via JSNice.
Are you sure this is the malicious code? It looks like the standard Audience Science code, to me. Perhaps they or their CDN was hacked, or a malicious ad was placed on the advertising network?
It seems that Reuters has rectified the problem now. Previously it was redirecting to a page hosted by the Syrian Electronic Army.

Also a reminder to not link directly to hacked pages but to perhaps a screenshot and put the real link in the comments, as we don't know if there could be malicious javascript et al injected into the page.