Reuters hacked

Generally not a good idea to link directly to a hacked page.<p>There&#x27;s a bit of code injected into the page near the bottom:<p><pre><code> document.write(&quot;&lt;SCR&quot;+&quot;IPT TYPE=&#x27;text&#x2F;javascript&#x27; SRC=&#x27;&quot; + &quot;http&quot; + (window.location.protocol.indexOf(&#x27;https:&#x27;)==0?&#x27;s&#x27;:&#x27;&#x27;) + &quot;:&#x2F;&#x2F;js.revsci.net&#x2F;gateway&#x2F;gw.js?csid=I07714&#x27; CHARSET=&#x27;ISO-8859-1&#x27;&quot;+&quot;&gt;&lt;\&#x2F;SCR&quot;+&quot;IPT&gt;&quot;); </code></pre> js.revsci.net seems to be redirecting some requests to localhost, so the code isn&#x27;t loading for everyone. If it loads for you, you get redirected to a big &quot;hacked by the Syrian Electronic Army etc. etc.&quot; page.<p>The location of the code doesn&#x27;t look like it was from a malicious ad or social media thingy. Looks like it&#x27;s near the bottom of the page template, so that&#x27;s neat. It&#x27;s embedded in other unrelated articles too.<p>edit: I was able to retrieve the content from elsewhere. It&#x27;s up at <a href="http://pastebin.com/rzPeKKMH" rel="nofollow">http:&#x2F;&#x2F;pastebin.com&#x2F;rzPeKKMH</a> -- it&#x27;s not just doing a redirect, there&#x27;s some funky stuff in there.

It wasn&#x27;t a problem inside reuters, but their 3rd party provider called (Taboola), which injects ads on reuters. So once taboola hacked, the ads system started injecting a script to redirect that page to another one.<p>Source: <a href="https://medium.com/@FredericJacobs/the-reuters-compromise-by-the-syrian-electronic-army-6bf570e1a85b" rel="nofollow">https:&#x2F;&#x2F;medium.com&#x2F;@FredericJacobs&#x2F;the-reuters-compromise-by...</a>

It seems that Reuters has rectified the problem now. Previously it was redirecting to a page hosted by the Syrian Electronic Army.<p>Also a reminder to not link directly to hacked pages but to perhaps a screenshot and put the real link in the comments, as we don&#x27;t know if there could be malicious javascript et al injected into the page.

Anybody have any idea about how they did it? Sorry for the noob question but I can&#x27;t really figure out how they did it, since the original page loads fine and only after this there&#x27;s some kind of redirect.<p>And as I can see it only affects certain pages so maybe there&#x27;s a compromised component that&#x27;s loaded on those pages?

I am seeing the expected Reuters article. Mind explaining what is supposed to happen when loading this page?

Just curious: What is this hacking technique called? seems to be some kind of JS injected redirection.

I wrote a post about what happened: <a href="https://medium.com/@FredericJacobs/the-reuters-compromise-by-the-syrian-electronic-army-6bf570e1a85b" rel="nofollow">https:&#x2F;&#x2F;medium.com&#x2F;@FredericJacobs&#x2F;the-reuters-compromise-by...</a>

What is supposed to happen? Seems to be some article...

It&#x27;s fixed now. It was linking to <a href="http://sea.sy/indexs/" rel="nofollow">http:&#x2F;&#x2F;sea.sy&#x2F;indexs&#x2F;</a>