You Can Hack This Headline for $200

Computer security researchers have recently noticed a disturbing trend in the dark corners of the web: Hackers are increasingly advertising access to the websites of media organizations, offering to sell stolen credentials that would allow the buyer to edit and post articles or plant malware on their websites.

Gaining access to the content management systems of media organizations would potentially give hackers the ability to turn newspapers, wire services, and magazines into unwitting participants in disinformation operations.

“For anyone with a strategic will or the strategic motivation to do that, it is a piece of cake,” said Omer Carmi, a former intelligence analyst for the Israeli armed forces who is now the director of intelligence for Sixgill, a cybersecurity firm. “I only need to have credentials for this forum, $200 dollars in bitcoin, and I can just go in and publish whatever what I want as an article.”

Carmi and his company’s researchers have discovered several offers in recent months for access to news outlets’ sites. One offer was for access to 1,400 U.S. magazines; another was for access to a major news wire, with most of its audience in Southeast Asia.

There is no way to verify that the posts discovered by Carmi are legitimate. And there is little evidence so far that these credentials are being used to publish false or misleading information.

But other cybersecurity firms have discovered similar offers in recent months, and sellers on closed criminal forums trade on their reputation for providing bona fide material. Those closed forums on the dark web act as a giant flea market that hackers use to fence stolen wares, such as bank logins, credit card numbers, or more exotic goods.

One appeal of news sites is that high-traffic pages would offer hackers a way to spread malicious code—such as a cryptocurrency mining script—to many machines. Theoretically, hackers could make a mint if they took over enough computers, but with cryptocurrency prices falling, that’s unlikely, said Andrei Barysevich, the director of advanced collection at the cybersecurity firm Recorded Future. “You really have to infect millions of people to make money,” he said.

With slim pickings in cryptomining, hackers are marketing access to media outlets as a way to spread disinformation.

In early 2018, Barysevich and his colleagues approached a hacker on an online forum who claimed to be selling access to a major news outlet’s content management system. The hacker was asking around $15,000 for the vulnerability, which would allow broad system access, and the price struck Barysevich as high.

In a chat, Recorded Future researchers asked the hacker what the material could be used for. “Well, you could plant fake articles,” the unidentified hacker wrote back.

But researchers point out that major fake articles would likely be quickly disproved, undermining their value.

A subtler way to exploit access to media sites would be to introduce minor changes to an article, said Herb Lin, a cybersecurity scholar at Stanford University.

“I can use this to spread disinformation that at the very least puts the company on the defensive,” Lin said. “You said this, and then you said that. It’s a way of discrediting the media company.”

Media outlets have been frequently targeted by malicious hackers. Last December, supporters of the YouTube personality PewDiePie hacked the Wall Street Journal to post a message encouraging readers to subscribe to his channel.

Hacking news outlets has also been used for straightforward intelligence gathering. Beginning in 2008, Chinese operatives targeted major U.S. news outlets, including the New York Times and the Washington Post, in an apparent effort to monitor coverage of China issues.

Hackers with access to media outlets have opened the door to creative ways to make money. In 2013, a group known as the Syrian Electronic Army hacked The Associated Press’s Twitter account and used it to falsely claim that there had been explosions at the White House. The claim sent the stock market tumbling, and anyone who knew the attack was coming could have shorted the market and pocketed a handy profit.

A similar operation could likely be executed with the credentials being sold online today. “Momentary disruptions—if you can predict them—can make you a fair amount of money,” Lin pointed out. Spectacular but fake stories could momentarily rattle markets and open up opportunities.

“It would take 10 or 15 minutes for that stuff to be repudiated,” Lin said. “And I can sell short on that.”