Staff at Rupert Murdoch’s British newspapers have been told to tighten security and change their passwords, Reuters reports, after the website of The Sun was hacked late on Monday night.
Hacking group LulzSec announced their breach of the Sun’s website on Twitter, after placing a redirect code on the main page which pushed visitors to a fake story about Rupert Murdoch’s death.
An old News International (NI) site called new-times.co.uk/sun was used for the attack. It had been set up while the Times paywall was built. LulzSec gained access to that site and, through it, to NI’s Content Management System (CMS).
The CMS access was then used to change the content of the Sun homepage, inserting a redirect pointing readers to the fake story initially, and then to LulzSec’s Twitter account. The website has since been returned to normal.
One member of the hacking group, Sabu, announced that emails had been taken during the hack, saying that they would be released on Tuesday. A few details which appeared to relate to NI employees were posted on Twitter by LulzSec. News International declined to comment on security issues, merely acknowledging the hack.
"We are aware of the hacking attempt on the sun.co.uk last night and our sites are now back up. We do not have any further comment to add at this time," a spokesperson said.
Sophos security analyst Graham Cluley said that the hack demonstrated the ease with which trusted websites can be compromised.
“What we saw overnight with the Sun, we all have to be grateful that the hackers that did that didn’t plant anything malicious, because that would have been very simple for them to do,” Cluely said. “They just embedded a little bit of code which then did the redirect.”
Cluley told Information Age that advertising networks are increasingly being used to distribute malware, not just direct manipulation of websites. “You may not have to hack into a specific website. Media outlets carry advertising from legitimate advertising streams, and what hackers have done is plant malicious code in those streams. The website becomes the vector by which the malware gets to the [web user]. It poisons the advertising stream,” Cluley said.