After writing my report last night of the Syrian Electronic Army’s hack of The Telegraph’s Facebook and Twitter accounts, I received a message on Twitter.
— SyrianElectronicArmy (@OfficialSEA) May 21, 2013
In follow-up I received an email, claiming to come from SEA member “th3pr0”.
According to “th3pr0”, my report on the hack was “biased”:
Blessings of Assad be upon you and your family.
We find the phrase “What’s clear is that someone at The Telegraph was a little careless about their computer security” is biased. It is not the fault of the Telegraph staff; our attack technique was extremely advanced and could only be detected by checking content of URL bar. None are prepared for this method of attack, which bypass antivirus. Is 0-day html code.
My speculation in yesterday’s write-up was that the SEA had used its normal modus operandi – namely to send phishing emails to newspaper staff, hope that one of them fell for the bait and entered their login credentials, and then steal further information by posing as the phished worker.
I asked “th3pr0” for more details on the zero-day exploit. After all, that sounds serious.
His reply indicated that there is no zero-day exploit. Or, at least, the SEA are not taking advantage of any security problems of which we are not already well aware.
We used view source to take account login page html source code and added this content to free webhost page. once email accounts compromised with php logger, password reset performed. We call technique ‘lateral phishing’. Once accounts compromised, we use trusted phished user to send emails to contacts in infidel organisation.
We have much experience phishing!
is called 0-day because no patch for bad education, yes? haha.
Apologies for not so good English; please quote direct with little edit though.
Fair enough. I’m prepared to accept that something may have been lost in translation. After all, my Arabic is hardly worth writing home about.
So, in a nutshell, there is nothing very sophisticated going on here. The Syrian Electronic Army duplicate a login page by grabbing its HTML source code, and shove it up somewhere free on the net. Victims are duped into visiting the link and entering their details.
Once the SEA has the username and password, it resets the password to lock out the legitimate owner and sends messages from the compromised account to others inside the organisation. Human nature being what it is, many people will blindly accept an email appearing to come from one of their colleagues as trustworthy and in this way more information can be stolen.
This afternoon, The Telegraph confirmed that this was how their systems were compromised by the SEA.
Screenshots released by The Telegraph revealed that the initial attack involved a series of emails being sent to newspaper staff, claiming to come from other media organisations.
Clicking on the links would take employees to a page which asked them to enter both their Telegraph user account and password details.
In a sneaky subsequent trick, the hackers later sent out another email alerting users that The Telegraph had been hacked, and to immediately change their passwords.
You guessed it. Again, that message was also an attempt to steal usernames and passwords.
According to the newspaper, any accounts which may have been compromised have now been suspended.
Although some may find the idea of hacks like this amusing, it’s no laughing matter. Media organisations would be wise to follow the advice distibuted by Twitter recently, warning about the high profile attacks and giving guidance on how to reduce the chances of becoming the next victim.
Did I get duped?
Interestingly, shortly after posting this article I was contacted by Twitter user @Th3Pro_SEA, who claims to be “Th3Pr0”.
@Th3Pro_SEA told me that the @OfficialSEA account which had contacted me, and the Hushmail address that had been used, were bogus. He said he had never been in contact with me.
Are you following this? Sigh… who to believe?
It’s certainly the case that @OfficialSEA has not been running for as long as the SEA’s current apparent “official” outlet: @Official_SEA12. So perhaps whoever contacted me was just trolling for attention.
As I pointed out to @Th3Pro_SEA, “maybe it’s time the SEA got a verified account from Twitter?”
Hmm.. on second thoughts, maybe Twitter won’t be rushing to offer that service to the SEA…
Ha! Check out what the SEA just tweeted..