A message from the Syrian Electronic Army?

Graham Cluley

After writing my report last night of the Syrian Electronic Army’s hack of The Telegraph’s Facebook and Twitter accounts, I received a message on Twitter.

In follow-up I received an email, claiming to come from SEA member “th3pr0”.

Email from the SEA

According to “th3pr0”, my report on the hack was “biased”:

Blessings of Assad be upon you and your family.

We find the phrase “What’s clear is that someone at The Telegraph was a little careless about their computer security” is biased. It is not the fault of the Telegraph staff; our attack technique was extremely advanced and could only be detected by checking content of URL bar. None are prepared for this method of attack, which bypass antivirus. Is 0-day html code.
regards,
th3pr0

My speculation in yesterday’s write-up was that the SEA had used its normal modus operandi – namely to send phishing emails to newspaper staff, hope that one of them fell for the bait and entered their login credentials, and then steal further information by posing as the phished worker.

That’s not what I would call an “extremely advanced” attack technique, even if it has apparently successfully duped the likes of the BBC, Guardian, FT, and.. well, the list goes on..

I asked “th3pr0” for more details on the zero-day exploit. After all, that sounds serious.

His reply indicated that there is no zero-day exploit. Or, at least, the SEA are not taking advantage of any security problems of which we are not already well aware.

We used view source to take account login page html source code and added this content to free webhost page. once email accounts compromised with php logger, password reset performed. We call technique ‘lateral phishing’. Once accounts compromised, we use trusted phished user to send emails to contacts in infidel organisation.

We have much experience phishing!
is called 0-day because no patch for bad education, yes? haha.
Apologies for not so good English; please quote direct with little edit though.
th3pr0

Fair enough. I’m prepared to accept that something may have been lost in translation. After all, my Arabic is hardly worth writing home about.

So, in a nutshell, there is nothing very sophisticated going on here. The Syrian Electronic Army duplicate a login page by grabbing its HTML source code, and shove it up somewhere free on the net. Victims are duped into visiting the link and entering their details.

Once the SEA has the username and password, it resets the password to lock out the legitimate owner and sends messages from the compromised account to others inside the organisation. Human nature being what it is, many people will blindly accept an email appearing to come from one of their colleagues as trustworthy and in this way more information can be stolen.

This afternoon, The Telegraph confirmed that this was how their systems were compromised by the SEA.

Screenshots released by The Telegraph revealed that the initial attack involved a series of emails being sent to newspaper staff, claiming to come from other media organisations.

Phishing email sent to Telegraph journalists

Clicking on the links would take employees to a page which asked them to enter both their Telegraph user account and password details.

In a sneaky subsequent trick, the hackers later sent out another email alerting users that The Telegraph had been hacked, and to immediately change their passwords.

Further phishing

You guessed it. Again, that message was also an attempt to steal usernames and passwords.

According to the newspaper, any accounts which may have been compromised have now been suspended.

Although some may find the idea of hacks like this amusing, it’s no laughing matter. Media organisations would be wise to follow the advice distibuted by Twitter recently, warning about the high profile attacks and giving guidance on how to reduce the chances of becoming the next victim.


Did I get duped?

Interestingly, shortly after posting this article I was contacted by Twitter user @Th3Pro_SEA, who claims to be “Th3Pr0”.

@Th3Pro_SEA told me that the @OfficialSEA account which had contacted me, and the Hushmail address that had been used, were bogus. He said he had never been in contact with me.

Are you following this? Sigh… who to believe?

It’s certainly the case that @OfficialSEA has not been running for as long as the SEA’s current apparent “official” outlet: @Official_SEA12. So perhaps whoever contacted me was just trolling for attention.

As I pointed out to @Th3Pro_SEA, “maybe it’s time the SEA got a verified account from Twitter?”

Smirk.

Hmm.. on second thoughts, maybe Twitter won’t be rushing to offer that service to the SEA…

Ha! Check out what the SEA just tweeted..


Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

2 Replies to “A message from the Syrian Electronic Army?”

  1. It seem that you just got trolled by a fake SEA account on twitter my friend. Look by yourself https://twitter.com/Official_SEA12/status/336951645067964416

    1. Look at my article – I embedded that tweet at the end. :)

      (In fact, it was me who suggested to @Official_SEA12 that they might want to advise folks about the bogus account)

      But hey, I’m putting my hands up to my mistake. :)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.