07
Apr 15

FBI Warns of Fake Govt Sites, ISIS Defacements

The Federal Bureau of Investigation (FBI) is warning that individuals sympathetic to the Islamic State of Iraq and al-Shams (ISIS) are mass-defacing Websites using known vulnerabilities in WordPress. The FBI also issued an alert advising that criminals are hosting fraudulent government Web sites in a bid to collect personal and financial information from unwitting Web searchers.

fbilogoAccording to the FBI, ISIS sympathizers are targeting WordPress Web sites and the communication platforms of news organizations, commercial entities, religious institutions, federal/state/local governments, foreign governments, and a variety of other domestic and international sites. The agency said the attackers are mainly exploiting known flaws in WordPress plug-ins for which security updates are already available.

The public service announcement (PSA) coincides with a less public alert that the FBI released to its InfraGard members, a partnership between the FBI and private industry partners. That alert noted that several extremist hacking groups indicated they would participate in an operation dubbed #OpIsrael, which will target Israeli and Jewish Web sites to coincide with Holocaust Remembrance Day (Apr .15-16).

“The FBI assesses members of at least two extremist hacking groups are currently recruiting participants for the second anniversary of the operation, which started on 7 April 2013, and coincides with Holocaust Remembrance Day,” the InfraGard alert notes. “These groups, typically located in the Middle East and North Africa, routinely conduct pro-extremist, anti-Israeli, and anti-Western cyber operations.”

Experts say there may be no actual relationship between these defacements and Islamist militants. In any case, if you run a Web site powered by WordPress — or any other content management system (CMS) — please take a few moments today to ensure that the CMS itself is up-to-date with the latest patches, and apply all available fixes for any installed plug-ins.

The FBI also issued an unrelated PSA advising people to be wary of fake government Web sites set up to take advantage of search engine optimization techniques that try to get the sites listed prominently in search results when searching for government services online. The FBI explains the scam thusly:

“Victims use a search engine to search for government services such as obtaining an Employer Identification Number (EIN) or replacement social security card. The fraudulent criminal websites are the first to appear in search results, prompting the victims to click on the fraudulent government services website. The victim completes the required fraudulently posted forms for the government service they need. The victim submits the form online, believing they are providing their PII to government agencies such as the Internal Revenue Service, Social Security Administration, or similar agency based on the service they need.”

“Once the forms are completed and submitted, the fraudulent website usually requires a fee to complete the service requested. The fees typically range from $29 to $199 based on the government service requested. Once the fees are paid the victim is notified they need to send their birth certificate, driver’s license, employee badge, or other personal items to a specified address. The victim is then told to wait a few days to several weeks for processing.”

“By the time the victim realizes it is a scam, they may have had extra charges billed to their credit/debit card, had a third-party designee added to their EIN card, and never received the service(s) or documents requested. Additionally, all of their PII data has been compromised by the criminals running the websites and can be used for any number of illicit purposes. The potential harm gets worse for those who send their birth certificate or other government-issued identification to the perpetrator.”

The FBI advises consumers to use search engines or other websites to research the advertised services or person/company you plan to deal with. Search the Internet for any negative feedback or reviews on the government services company, their Web site, their e-mail addresses, telephone numbers, or other searchable identifiers. Fly-by-night scam Web sites often have little or no reputation — i.e., they haven’t been online that long. A simple WHOIS Web site registration record search will often reveal scam domains as just recently having been put online.

Tags: , , , , ,

28 comments

  1. When is the US going to catch up with the times a squash these scams as soon as they appear. There are billions of dollars being stolen every year and the govt. sits on there hands.

    • We are not sitting on our hands, We are sitting on both of our thumbs. get it right Seth

      Thank you, this will now conclude our public announcement.

    • Were you thinking that the government should just virtually slip in and magically remove all compromised sites?
      Not sure what you have in mind…

  2. What “known vulnerabilities” do You have in mind Brian? I’m hoping something in the older versions of WordPress not in the latest / greatest one?

    Cheers.

    Andrzej

    • Most of these skids are exploiting the recent revslider exploit

    • There are two issues with WordPress. First is that it’s by far the dominant CMS platform, so it’s got the most scrutiny from bad guys. Second, because a WordPress site has write access to its own executable files (in the name of upgrade convenience), it’s a juicy target for hackers. If a hacker can manage to gain privileged access to a WordPress site (via a plug-in vulnerability, for instance), they can upload malicious replacement files for core site functionality (inserting backdoors, etc.).

      More secure CMS systems will be configured so that all executable files and directories are read only to the web site itself (only content folders are writable). In order to perform an upgrade, you’d need to load the updated CMS files through some other method (secure ftp, for instance) and then perform a setup process in the site. This way, even if someone is able to compromise the site, at worst they’ll be able to deface content, but not create an insidious backdoor somewhere.

      A Cross-Site Scripting (XSS) vulnerability found today in yet another WP plug-in puts as many as a million WP sites at risk of defacement, so this may be one of the ways these particular hackers are doing their dirty work.

      http://arstechnica.com/security/2015/04/as-many-as-1-million-sites-imperiled-by-dangerous-bug-in-wordpress-plugin/

      • LessThanObvious

        It’s always an unacceptable risk to place what should be backend management capabilities in front end of a public facing service. IP restrictions forcing admin functions to come from known IPs or VPN to a management network should be standard practice. Any service that cant be restricted in a sound way better have 2FA and some serious vulnerability testing. Whatever the service from webcams to websites, CMS or broadband routers, if anyone can get to to the management functions freely, the odds of the service being compromised go up exponentially.

  3. There are a lot of agents roaming the Interwebs continually. Like Search Engine ingestors.

    Are any of these working to detect these sites?

  4. Donald J Trump

    I read that FBI alert this morning

  5. “….A simple WHOIS Web site registration record search will often reveal scam domains as just recently having been put online.”

    Well Brian, I did try the WHOIS site in your link:
    https://whois.domaintools.com/
    and entered (as a test only, of course),:
    whitehouse.gov

    To my surprise,
    there is nothing in the WHOIS report
    that would give me any clue
    that it’s a fake site or not.
    Try it…

    I wish there would be a better 100% test
    to assure you are reaching a REAL gov site.

    Brian , anybody?

    • Robin Collins

      This entry is I think what Brian is alluding to:

      “Whois History 3,452 records have been archived since 2003-03-18 “

    • The .gov top level domain doesn’t have and is not required to have whois information.

  6. WordPress……hhhhmmmmm

    Just a mechanism to show that the website isn’t really owned by the group/company/person you think it is. It’s a web2.0 way of saying “it’s my site but I really don’t care too much about who or what has access to it.

  7. Web-Of-Trust (WOT), helps weed most disreputable sites out. I almost never click on search results that are grey, or no reputation is known. Otherwise I use the other suggestions already covered in the article.

    • The fun thing about hacking is they can gain access to websites that were previously trusted, then exploit that trust to do whatever they want until the site gets untrusted.

      There’s always a window of opportunity, and if you get caught in that window it’s not a fun time.

  8. It’s unlikely that this is coming from Islamic State (“Daesh”) or anyone directly associated with them. It’s more likely to be a bunch of publicity-seeking script kiddies, possibly from North Africa but could be anywhere.

    “al-shams” is Arabic for “the sun” and so to say this is perpetrated in the name of the “Islamic State of Iraq and Al-Shams” is just nonsense.
    http://en.wikipedia.org/wiki/Al-Shams

    Even the FBI believe that “the perpetrators are not members of the ISIL terrorist organization. These individuals are hackers using relatively unsophisticated methods to exploit technical vulnerabilities and are utilizing the ISIL name to gain more notoriety than the underlying attack would have otherwise garnered.”
    http://www.ic3.gov/media/2015/150407-1.aspx

    “… full of sound and fury, signifying nothing”

    • I suspect “Al-Shams” is a typographical error made by Brian. The correct form is “Al-Sham” (Bilad Al-Sham) which used to be the area of the middle east that primarily consisted of Syria, Lebanon and Palestine/Israel in the early islamic Caliphates.
      http://en.wikipedia.org/wiki/Bilad_al-Sham

      • Good point, Zee. But no, this isn’t a typo by Brian. The “al-shams” mistake is repeated in all of the reports I’ve seen in various places, and it comes from the original ic3.gov release. I don’t know why the FBI choose to use that version of the name for Islamic State (now officially and dismissively referred to as ‘Daesh’ by the French government and by others in the Middle East) but if they’re going to use a mixed English and Arabic description in their release they ought at least to check that the Arabic part of it makes sense.

        And the consensus is that all this is just a bunch of amateurs out to have a bit of malicious fun. Defacing websites is going for the low-hanging fruit, and as long as that’s all they’re doing they count as irritants rather than threats.

  9. Every time I see these internet shananagans I think about my 94 year old parents that never had a computer, had NO credit cards, paid cash for everything and watched only antenna TV for free.

    They lived this sort of life into 2010 and were happy unless they argued about the thermostat setting.

  10. Post says it is from April 15. Time machines confirmed?

    • That’s April 2015, the date is the large number above the month.

    • It is April 2015. See the “7” above the APR 15?

      • I know it took me some time to train my brain to read that right, it kept insisting on trying to apply the year as the date, and that large number floating above the rest of the date made no sense in its orderly little world. Even now, years later, it STILL has to pause to recalibrate over the date. I’m just surprised this isn’t mentioned more often!

  11. Do you have any advice on hardening the security on your wordpress site to make it less vulnerable to these types of attacks?

  12. LessThanObvious

    FBI is supposedly saying they don’t believe the source to be (ISIS).

    “Original release date: April 07, 2015
    The Internet Crime Complaint Center (IC3) has issued an alert addressing recently perpetrated Web site defacements. The defacements advertise themselves as associated with the Islamic State in the Levant (ISIL) a.k.a. Islamic State of Iraq and al-Shams (ISIS). However, FBI assesses that the perpetrators are not actually associated with this group. The perpetrators exploit WordPress content management system (CMS) vulnerabilities, leading to disruptive and costly effects.”

  13. just curious how would the faulty sites rank so highly? I’m missing that piece. Is it that the government sites aren’t creating or receiving enough authority? or what?

    • Javascript, excessive hype, browser redirection, router hijacking, DNS hijacking, little if any ability to filter things out, so much dependence on outside software that does little good in the first place because people refuse to learn anything about these machines, a general attitude by the masses that Apple is safe and will take care of you that if your on an Ipad you have nothing to worry about

      It really has nothing to do with ISIS so much. It’s more to do with the cloud, smart phones, tablets, smart tv’s, smart watches, smart homes, the removal of the I.T. department, and the gullible nature of man kind that gets takin advantage of. It’s about the idea that you simply must get this app, that app, every app….all based on nothing except maybe for looks. Any connection to ISIS really isn’t anything more than a group of bad guys with harmful intent finding new tools to do the same stuff within a world hell bent on buying and using technology while having no understanding of it.

  14. FYI, our Authentiguard technology allows a civilian to validate a website by utilizing their smartphone. This takes the “search” out of the equation and empowers the
    citizen to make a decision on the spot about interacting
    with the site.