Injecting tags and JS scripts in to a page usually falls in to the XSS category of attacks although it is not clear how it was done in this particular case.
Indeed. I think whenever 'hacked sites' stories are posted here, the poster should include a screenshot given that the site will likely be fixed very quickly.
Anybody have any idea about how they did it? Sorry for the noob question but I can't really figure out how they did it, since the original page loads fine and only after this there's some kind of redirect.
And as I can see it only affects certain pages so maybe there's a compromised component that's loaded on those pages?
js.revsci.net seems to be redirecting some requests to localhost, so the code isn't loading for everyone. If it loads for you, you get redirected to a big "hacked by the Syrian Electronic Army etc. etc." page.
The location of the code doesn't look like it was from a malicious ad or social media thingy. Looks like it's near the bottom of the page template, so that's neat. It's embedded in other unrelated articles too.
edit: I was able to retrieve the content from elsewhere. It's up at http://pastebin.com/rzPeKKMH -- it's not just doing a redirect, there's some funky stuff in there.
Are you sure this is the malicious code? It looks like the standard Audience Science code, to me. Perhaps they or their CDN was hacked, or a malicious ad was placed on the advertising network?
It seems that Reuters has rectified the problem now. Previously it was redirecting to a page hosted by the Syrian Electronic Army.
Also a reminder to not link directly to hacked pages but to perhaps a screenshot and put the real link in the comments, as we don't know if there could be malicious javascript et al injected into the page.
It wasn't a problem inside reuters, but their 3rd party provider called (Taboola), which injects ads on reuters. So once taboola hacked, the ads system started injecting a script to redirect that page to another one.
15 comments
[ 2.9 ms ] story [ 38.4 ms ] threadSpecifically this page: http://imgur.com/CkIFBmY
And as I can see it only affects certain pages so maybe there's a compromised component that's loaded on those pages?
There's a bit of code injected into the page near the bottom:
js.revsci.net seems to be redirecting some requests to localhost, so the code isn't loading for everyone. If it loads for you, you get redirected to a big "hacked by the Syrian Electronic Army etc. etc." page.The location of the code doesn't look like it was from a malicious ad or social media thingy. Looks like it's near the bottom of the page template, so that's neat. It's embedded in other unrelated articles too.
edit: I was able to retrieve the content from elsewhere. It's up at http://pastebin.com/rzPeKKMH -- it's not just doing a redirect, there's some funky stuff in there.
Also a reminder to not link directly to hacked pages but to perhaps a screenshot and put the real link in the comments, as we don't know if there could be malicious javascript et al injected into the page.
Source: https://medium.com/@FredericJacobs/the-reuters-compromise-by...