A message from the Syrian Electronic Army?

After writing my report last night of the Syrian Electronic Army's hack of The Telegraph's Facebook and Twitter accounts, I received a message on Twitter.

In follow-up I received an email, claiming to come from SEA member "th3pr0".

Email from the SEA

According to "th3pr0", my report on the hack was "biased":

Blessings of Assad be upon you and your family.

We find the phrase "What’s clear is that someone at The Telegraph was a little careless about their computer security" is biased. It is not the fault of the Telegraph staff; our attack technique was extremely advanced and could only be detected by checking content of URL bar. None are prepared for this method of attack, which bypass antivirus. Is 0-day html code.
regards,
th3pr0

My speculation in yesterday's write-up was that the SEA had used its normal modus operandi - namely to send phishing emails to newspaper staff, hope that one of them fell for the bait and entered their login credentials, and then steal further information by posing as the phished worker.

That's not what I would call an "extremely advanced" attack technique, even if it has apparently successfully duped the likes of the BBC, Guardian, FT, and.. well, the list goes on..

I asked "th3pr0" for more details on the zero-day exploit. After all, that sounds serious.

His reply indicated that there is no zero-day exploit. Or, at least, the SEA are not taking advantage of any security problems of which we are not already well aware.

We used view source to take account login page html source code and added this content to free webhost page. once email accounts compromised with php logger, password reset performed. We call technique 'lateral phishing'. Once accounts compromised, we use trusted phished user to send emails to contacts in infidel organisation.

We have much experience phishing!
is called 0-day because no patch for bad education, yes? haha.
Apologies for not so good English; please quote direct with little edit though.
th3pr0

Fair enough. I'm prepared to accept that something may have been lost in translation. After all, my Arabic is hardly worth writing home about.

So, in a nutshell, there is nothing very sophisticated going on here. The Syrian Electronic Army duplicate a login page by grabbing its HTML source code, and shove it up somewhere free on the net. Victims are duped into visiting the link and entering their details.

Once the SEA has the username and password, it resets the password to lock out the legitimate owner and sends messages from the compromised account to others inside the organisation. Human nature being what it is, many people will blindly accept an email appearing to come from one of their colleagues as trustworthy and in this way more information can be stolen.

This afternoon, The Telegraph confirmed that this was how their systems were compromised by the SEA.

Screenshots released by The Telegraph revealed that the initial attack involved a series of emails being sent to newspaper staff, claiming to come from other media organisations.

Phishing email sent to Telegraph journalists

Clicking on the links would take employees to a page which asked them to enter both their Telegraph user account and password details.

In a sneaky subsequent trick, the hackers later sent out another email alerting users that The Telegraph had been hacked, and to immediately change their passwords.

Further phishing

You guessed it. Again, that message was also an attempt to steal usernames and passwords.

According to the newspaper, any accounts which may have been compromised have now been suspended.

Although some may find the idea of hacks like this amusing, it's no laughing matter. Media organisations would be wise to follow the advice distibuted by Twitter recently, warning about the high profile attacks and giving guidance on how to reduce the chances of becoming the next victim.

Did I get duped?
Interestingly, shortly after posting this article I was contacted by Twitter user @Th3Pro_SEA, who claims to be "Th3Pr0".

@Th3Pro_SEA told me that the @OfficialSEA account which had contacted me, and the Hushmail address that had been used, were bogus. He said he had never been in contact with me.

Are you following this? Sigh... who to believe?

It's certainly the case that @OfficialSEA has not been running for as long as the SEA's current apparent "official" outlet: @Official_SEA12. So perhaps whoever contacted me was just trolling for attention.

As I pointed out to @Th3Pro_SEA, "maybe it's time the SEA got a verified account from Twitter?"

Smirk.

Hmm.. on second thoughts, maybe Twitter won't be rushing to offer that service to the SEA...

Ha! Check out what the SEA just tweeted..

Tags: , , , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , , , ,

2 Responses

  1. Arnold Shwarzenburger

    May 21, 2013 at 11:03 pm #

    It seem that you just got trolled by a fake SEA account on twitter my friend. Look by yourself https://twitter.com/Official_SEA12/status/336951645067964416

    • Graham Cluley in reply to Arnold Shwarzenburger.

      May 21, 2013 at 11:06 pm #

      Look at my article – I embedded that tweet at the end. :)

      (In fact, it was me who suggested to @Official_SEA12 that they might want to advise folks about the bogus account)

      But hey, I’m putting my hands up to my mistake. :)

Leave a Reply