For a short period of time this weekend, visitors to the UK versions of the PayPal and eBay websites may have seen something out of the ordinary.
Not the normal welcoming message of a world-famous online institution, but an offensive message intermingled with a binary depiction of the Syrian flag instead:
Hacked by Syrian Electronic Army!
Long live Syria!
Fuck the United States Government
Regular readers will not be surprised at all to hear that the notorious Syrian Electronic Army (SEA) claimed responsibility for the defacement.
However, as with other hacks conducted by the group, there is no suggestion that customers’ information was exposed – or even that any servers belonging to PayPal, or its owners eBay, were compromised.
Instead, it sounds more likely that the pro-Assad hacking gang managed to redirect visitors to the sites to a third-party website under their control, perhaps by hijacking eBay and PayPal’s .co.uk DNS entries.
Anuj Nayar, PayPal’s senior director of global initiatives, got in touch with me and offered the following statement:
We were not hacked.
For under 60 minutes, a very small subset of people visiting a few marketing web pages of PayPal France, UK and India websites were being redirected. There was no access to any consumer data whatsoever and no accounts were ever in any danger of being compromised. The situation was swiftly resolved and PayPal’s service was not affected. We take the security and privacy of our customers very seriously and are conducting a forensic investigation into this situation.
The SEA posted messages and images on Twitter, claiming responsibility for the hack:
For denying Syrian citizens the ability to purchase online products, PayPal was hacked by SEA
If your PayPal account is down for a few minutes, think about Syrians who were denied online payments for more than 3 years. #SEA
Of course, anyone who visited the websites during this episode should breathe a sigh of relief that the apparent hijacking was not done by someone more malicious with the intention of spreading, say, a drive-by malware download.
The Syrian Electronic Army’s Twitter account has since been suspended, but no doubt they will be back with a new one soon…
Update: Twitter user Ashar Javed shared with me an image of the certificate error displayed when users attempts to reach paypal.co.uk.
So anyone converted that binary back into ASCII yet?
I notice in a lot of other reporting, such as on ZDnet, there is a tweeted screenshot from an internal email discussing the hack.
Has this been shown to be a fake or is it just being ignored by the PR department?