Who Built the Syrian Electronic Army?

August 28, 2013

A hacking group calling itself the Syrian Electronic Army (SEA) has been getting an unusual amount of press lately, most recently after hijacking the Web sites of The New York Times and The Washington Post, among others. But surprisingly little light has been shed on the individuals behind these headline-grabbing attacks. Beginning today, I’ll be taking a closer look at this organization, starting with one of the group’s core architects.

Earlier this year I reported that — in apparent observation of international trade sanctions against Syria — Network Solutions LLC. and its parent firm Web.com had seized hundreds of domains belonging to various Syrian entities. Among the domains caught in that action were several sites belonging to the SEA.

At the time, the SEA had a majority of its sites hosted at Internet addresses belonging to the Syrian Computer Society, an organization considered to have been a precursor to the SEA and one that was previously headed by Syrian President Bashar al-Assad. Following the Web.com domain seizures, the SEA was forced to find new homes for their domains. Soon enough, the group moved its domains syrianelectronicarmy.com and sea.sy to a host in Russia (no doubt adding further chill to already frigid US-Russia relations vis-a-vis Syria).

Sometime during that transition period, the SEA’s main Web site got hacked. As in…completely owned. According to one confidential source, the attacker(s) gained access to the virtual servers that hosted the SEA’s site and downloaded the entire user database for sea.sy and syrianelectronicarmy.com. Shockingly (or perhaps less so for many security researchers who’ve dismissed the SEA as mostly a group of tenacious but relatively unskilled hackers), many of the top members re-used the passwords they picked for their sea.sy accounts at their Hotmail, MSN and Outlook email accounts.

A snippet from the hacked database from syrianelectronicarmy.com

A snippet from the hacked database from syrianelectronicarmy.com. In the third column are plain-text passwords.

In nearly any dump of a Web site user database, it’s generally safe to assume that the first few users listed are founders and administrators of the site. In the hacked sea.sy database, for example, we can see that the first two usernames in the table are “admin” and “admin2.” Admin2’s email address is listed as sy34@msn.com. The last entry in the database is April 19, 2013, just a few days after Web.com began seizing domain names in its stable with the “.sy” designation.

A Google search on that email address reveals its ties to the SEA, and shows that the account was in 2010 tied to a now-abandoned hackforums.net user named “SyRiAn_34G13” (leet-speak for “Syrian Eagle”). A reverse WHOIS search at domaintools.com on the sy34@msn.com address shows that it was used in Feb. 2011 to register a site called codepassion.net.

Codepassion.net is no longer active (perhaps because it was hacked and defaced in May 2012 by other script kiddies), but thanks to the Wayback Machine at the indispensable Internet Archive, we can see the site lists as its creator a 23-year-old “virtuoso web designer” named Mohammed from Damascus, Syria. Mohammed says he is a senior front end developer at a firm in Damascus called Flex Solutions. Mohammed reveals that his last name is “Osman” when he links to his Facebook and DeviantART accounts, as well as his Gmail address (osmancode@gmail.com). That same Gmail account is also used for another account in the sea.sy database: يوزر – which Google translates to “Yoezer”  “User” and used the password “963100”.

Continue reading

Who Wrote the Pincer Android Trojan?

August 27, 2013

Stories in this blog’s Breadcrumbs series have sought to comb through clues that point to the possible location and identities of malware authors and purveyors.  But from time to time those clues lead definitively back to an individual. In today’s post, we’ll talk with the author of  the Pincer Trojan for Android — a 32-year-old programmer at a mobile app development firm in Russia.

bwshadowIn April, Finnish security firm F-Secure  first warned about Trojan:Android/Pincer.A, which comes disguised as a security certificate and is designed to surreptitiously intercept and forward text messages. As F-Secure notes, previous malicious mobile apps pretending to be certificates have been mobile components of banking Trojans aimed at defeating two-factor authentication.

F-Secure researchers observed that Pincer used the IMEI of the victim’s phone as an identifier, and that the Trojan would call home to a control server and report the device’s phone and serial numbers, phone model, carrier and OS version. They also found that Pincer checks to see if it’s being run in a virtual environment, which is a common trick designed to frustrate malware analysis tools used by security researchers.

Interestingly, F-Secure noted that the code within the trojan includes a class called “USSDDumbExtendedNetworkService” — a component that was assigned a seemingly arbitrary variable that F-Secure researchers said was probably either associated with a French Canadian concrete company or the Twitter handle of a young Russian whose Google+ page lists employment as “Android developer”.

I followed up with F-Secure about this post, and learned that the redacted portion of that post — the variable included in that first variant of the Pincer Trojan — was “senneco.com” (Virustotal’s analysis lists it as “com.senneco”). A quick search on Google turns up Twitter and Google+ accounts by this name belonging to a Yuri Shmakov from Novosibirsk, Russia. Shmakov’s Google+ page says he is a developer at Arello-Mobile, a mobile app development firm also in Novosibirsk.

Text string "senneco" inside of the Pincer Android Trojan.

Text string “senneco” inside an early sample of he Pincer Android Trojan. Source: F-Secure.

A scan of Shmakov’s accounts turned up the email address senneco@gmail.com. I sent an email to that address, explaining F-Secure’s findings and asking whether the recipient had anything to do with the Pincer Trojan. To my surprise, Shmakov promptly replied that, why yes he had indeed created it as a freelance project.

Shmakov told me that, based on the client’s specifications, he suspected it might ultimately be put to nefarious uses. Even so, he completed the job and signed his work by including his nickname in the app’s code.

Continue reading

Advertisement

How Not to DDoS Your Former Employer

August 20, 2013

Pro tip: If you’re planning to launch a debilitating denial-of-service attack against your former employer, try not to “like” the Facebook page of the DDoS-for-hire Web service that you intend to use in the assault.

Tell that to Kevin Courtois, a 28-year-old from Three Rivers, Quebec who was arrested earlier this year for allegedly launching a volley of cyber attacks against his former company over a nine month period beginning in May 2012. Courtois did not respond to requests for comment.

Courtois’s former employer — Concepta Inc., an information security firm based in his hometown — was not the only one suffering from attacks. The assaults — which ranged in size from a few gigabits per second to up to 10 gbps — grew so large that they began significantly affecting Concepta’s Internet service provider  — another Three Rivers company called Xittel. Eventually, the attacks shifted to targeting Xittel directly.

Xittel later hired Robert Masse, a security consultant from Montreal who spoke about the details of this case in a talk at the Black Hat security conference in Las Vegas last month. Xittel and Concepta compared notes and told Masse they’d settled on Cortois as the likely culprit. One potential clue: Cortois had left Concepta to start his own company that specialized in DDoS protection services. 

Masse said when he began his investigation he noticed that Courtois had liked the Facebook page of demolitionstresser.com, a now defunct booter site that redirected him to….wait for it…ragebooter.net. For those of you who haven’t read my story on ragebooter.net and its proprietor Justin Poland, please check it out after reading this piece. In that story, Poland claimed to have been working for the FBI, and even to have backdoored his own service so that FBI agents could snoop on user activity.

Masse said he decided to contact Poland to see what he might be willing to disclose about any ragebooter.net customer who’d been using the service to launch attacks against Concepta and Xittel. Masse said he created an account at ragebooter.net, funded it with $200 via the site’s default payment method — Paypal — and then reached out to Poland via his support handle in Skype. Would Poland be willing to sell the logs of a particular customer? Say….anyone who happened to be currently using ragebooter to attack a certain Internet address block in Three Rivers, Quebec?

MasseyStrings According to Masse, Poland initially replied that, why yes, there was an attack going on that very moment against that IP address. “For sure, this morning,” Poland wrote in a Skype chat. “First attack November 25 (2012).” Masse said Poland then pasted the account information for a user named…wait for it…”concepta2.” Concepta2 had signed up with ragebooter using the email address traverse2000@hotmail.com, according to the Ragebooter.net users database that was leaked earlier this year. A historic reverse WHOIS record lookup at domaintools.com, that email address was used to register at least 36 different Web sites, most of them originally registered to a Kevin Courtois from Quebec.

Masse said Poland quickly thought better of posting his customers’ information in a Skype chat with a stranger, and deleted the message a few seconds after he’d pasted it. But Masse was able to retrieve a copy of the message by dumping the memory cache for his Skype client on his OS X machine.

Continue reading

A Closer Look: Perkele Android Malware Kit

August 19, 2013

In March 2013 I wrote about Perkele, a crimeware kit designed to create malware for Android phones that can help defeat multi-factor authentication used by many banks. In this post, we’ll take a closer look at this threat, examining the malware as it is presented to the would-be victim as well as several back-end networks set up by cybercrooks who have been using mobile bots to fleece banks and their customers.

Perkele disguises itself as an various Android security applications and certiifcates.

Perkele disguises itself as various Android security applications and certificates.

Perkele is sold for $1,000, and it’s made to interact with a wide variety of malware already resident on a victim’s PC. When a victim visits his bank’s Web site, the Trojan (be it Zeus or Citadel or whatever) injects malicious code into the victim’s browser, prompting the user to enter his mobile information, including phone number and OS type.

That information is relayed back to the attacker’s control server, which injects more code into the victim’s browser prompting him to scan a QR code with his mobile device to install an additional security mechanism.

Once the victim scans the QR code, the Perkele malware is downloaded and installed, allowing the attackers to intercept incoming SMS messages sent to that phone. At that point, the malware on the victim’s PC automatically initiates a financial transaction from the victim’s account.

When the bank sends an SMS with a one-time code, Perkele intercepts that code and sends it to the attacker’s control server. Then the malicious script on the victim’s PC receives the code and completes the unauthorized transaction.

Web site security firm Versafe located a server that was being used to host malicious scripts tied to at least one Perkele operation. The company produced this report (PDF), which delves a bit deeper into the behavior and network activity generated by the crimeware kit.

Versafe’s report includes several screenshots of the Perkele application as offered to would-be victims. The malware is presented as a security certificate; it’s named “zertificate” because the victim in this case banked at a German financial institution.

Perkele disguised as a security certificate for a German bank. Source: Versafe.

Perkele disguised as a security certificate for a German bank. Source: Versafe.

A few weeks ago, I encountered the back end system for what appears to be a Perkele distribution, or perhaps some other mobile malware bot; I should note that disguising an Android banking Trojan as a security certificate is not a ruse that’s limited to Perkele: The Pincert SMS malware also employs this trick, according to F-Secure.

Anyhow, I scarcely had time to examine this particular mobile bot control panel before it was either taken down by German authorities or was moved elsewhere by the fraudsters. But it, too, was intercepting one-time codes from German banking victims using an Android malware component similarly disguised as a “zertificate.”

This Android SMS bot control panel targeted German bank customers.

This Android SMS bot control panel targeted German bank customers.

Apparently, it was fairly successful, stealing one-time codes from online banking customers of several German financial institutions, including Postbank and Comdirect.

Dozens of German banking customers were victimized by this Android bot control panel.

Dozens of German banking customers were victimized by this Android bot control panel.

In the screen grab below, we can see the main administrative page of this panel, which controls which banks should be targeted and from where the fraudulent text messages should be sent.

Continue reading

Washington Post Site Hacked After Successful Phishing Campaign

August 15, 2013

The Washington Post acknowledged today that a sophisticated phishing attack against its newsroom reporters led to the hacking of its Web site, which was seeded with code that redirected readers to the Web site of the Syrian Electronic Army hacker group. According to information obtained by KrebsOnSecurity, the hack began with a phishing campaign launched over the weekend that ultimately hooked one of the paper’s lead sports writers.

This phishing page used by the Syrian Electronic Army spoofed The Post's' internal email login page.

This phishing page used by the Syrian Electronic Army spoofed The Post’s’ internal email login page.

On Tuesday morning, KrebsOnSecurity obtained information indicating that a phishing campaign targeting the Post’s newsroom had been successful, and that the attackers appear to have been seeking email access to Post reporters who had Twitter accounts. The Post did not respond to requests for comment.

Update, August 16, 10:07 a.m. ET: Post spokesperson Kris Coratti finally responded, stating that the phishing attack and the site compromise were two separate incidents, and that one did not necessarily lead to the other. She emphasized that the site hack was the result of an attack on Outbrain, a third-party content recommendation site.

Original story:

But in a brief acknowledgment published today, The Post allowed that it had in fact been hacked, and in an update to that statement added that the source of the compromise was a phishing attack apparently launched by the SEA. From that message:

“A few days ago, The Syrian Electronic Army, allegedly, subjected Post newsroom employees to a sophisticated phishing attack to gain password information. The attack resulted in one staff writer’s personal Twitter account being used to send out a Syrian Electronic Army message. For 30 minutes this morning, some articles on our web site were redirected to the Syrian Electronic Army’s site. The Syrian Electronic Army, in a Tweet, claimed they gained access to elements of our site by hacking one of our business partners, Outbrain. We have taken defensive measures and removed the offending module. At this time, we believe there are no other issues affecting The Post site.”

According to sources, Post sports writer Jason Reid was among those who fell for a phishing scam that spoofed The Posts’s internal Outlook Web Access email portal (see screenshot above). Reid’s hacked email account was then used to send additional — likely malware-laced — phishing emails to other newsroom employees (see screenshot below). Reid did not respond to requests for comment.

Washington Post top brass huddle via email after the successful phishing attack.

Washington Post top brass huddle via email after the successful phishing attack.

Other well-known Posties came close to be tricked by the phishing attack. One of those nearly-phished was veteran Post staffer Gene Weingarten, one of the Post’s Pulitzer Prize winning editors and writers. Reached via email for comment, Weingarten was characteristically self-effacing about the whole ordeal (full disclosure: Gene edited my very first story to appear in The Washington Post, a 1996 Style section piece about living in the late President Gerald Ford‘s house, titled, “My Gerry Built Home“).

“I was phished….one of four, but I never entered any creds,” Weingarten wrote. “I’m stupid, but not THAT stupid.”

This type of phishing attack bears the hallmark of the SEA, which has taken credit for hijacking the Twitter accounts of several news outlets, perhaps most famously that of The Associated Press earlier this year. That campaign — which culminated in an unauthorized tweet sent from the AP’s Twitter account falsely claiming that bombs had exploded in the White House — briefly sent the Dow Industrial Average down 140 points.

As this incident highlights, phishing attacks and the phishers themselves are growing in sophistication. A survey released last month by Verizon Communications Inc. found nearly every incident of online espionage in 2012 involved some sort of phishing attack.

Update, August 16, 11:00 a.m. ET: One astute reader pointed out that the numeric Internet address (31.170.164.145) connected to the domain (site88[dot]net – see first screen shot above) used in the phishing attack against the Post this past weekend resides on the same subnet and hosting provider as blogs and Web sites belonging to some of the top Syrian Electronic Army members, including:

thepro[dot]sy (31.170.162.145)

victor[dot[thepro[dot]sy (31.170.162.145)

blog[dot]thepro[dot]sy (31.170.161.41)

Personalized Exploit Kit Targets Researchers

August 15, 2013

As documented time and again on this blog, cybercrooks are often sloppy or lazy enough to leave behind important clues about who and where they are. But from time to time, cheeky crooks will dream up a trap designed to look like they’re being sloppy when in fact they’re trying to trick security researchers into being sloppy and infecting their computers with malware.

A fake Nuclear Exploit Pack administrative panel made to serve malware.

A Nuclear Exploit Pack administrative panel made to serve malware.

According to Peter Kruse, a partner and cybercrime specialist with CSIS Security Group, that’s what happened late last month when a Twitter user “Paunchbighecker” started messaging security researchers on Twitter. Paunch the nickname of a Russian hacker who for the past few years has sold the wildly popular Blackhole exploit kit, a crimeware package designed to be stitched into hacked or malicious sites and foist browser exploits on visitors. The person behind Paunchbighecker Twitter account probably figured that invoking Paunch’s name and reputation would add to the allure of his scam.

The Paunchbighecker Twitter account appears to have been created on July 30 for the sole purpose of sending tweets to several security researchers, including this author, Mikko Hypponen of Finnish security firm F-Secure, French malware researcher Kafeine, Polish security researcher tachion24, and SecObsecurity. Strangely enough, the other Twitter account that received messages from this user belongs to Sauli Niinistö, the current president of Finland.

The link that Paunchbighecker sent to researchers displays what appears to be the back-end administrative panel for a Nuclear Pack exploit kit. In fact, the landing page was a fake merely made to look like a Nuclear pack statistics panel. Rather, embedded inside the page itself is a series of active Java exploits. 

Update, 1:56 p.m.: Security researcher Kafeine said he does not believe this was an attack against security researchers, but rather an intentional leak of badguy credentials.  Furthermore, Kafeine notes that visitors to the site link in the Twitter messages would have to take an additional step in order to infect their own computers.

Continue reading

Buying Battles in the War on Twitter Spam

August 14, 2013

The success of social networking community Twitter has given rise to an entire shadow economy that peddles dummy Twitter accounts by the thousands, primarily to spammers, scammers and malware purveyors. But new research on identifying bogus accounts has helped Twitter to drastically deplete the stockpile of existing accounts for sale, and holds the promise of driving up costs for both vendors of these shady services and their customers.

Image: Twitterbot.info

Image: Twitterbot.info

Twitter prohibits the sale and auto-creation of accounts, and the company routinely suspends accounts created in violation of that policy. But according to researchers from George Mason University, the International Computer Science Institute and the University of California, Berkeley, Twitter traditionally has done so only after these fraudulent accounts have been used to spam and attack legitimate Twitter users.

Seeking more reliable methods of detecting auto-created accounts before they can be used for abuse, the researchers approached Twitter last year for the company’s blessing to purchase credentials from a variety of Twitter account merchants. Permission granted, the researchers spent more than $5,000 over ten months buying accounts from at least 27 different underground sellers.

In a report to be presented at the USENIX security conference in Washington, D.C. today, the research team details its experience in purchasing more than 121,000 fraudulent Twitter accounts of varying age and quality, at prices ranging from $10 to $200 per one thousand accounts.

The research team quickly discovered that nearly all fraudulent Twitter account merchants employ a range of countermeasures to evade the technical hurdles that Twitter erects to stymie the automated creation of new accounts.

“Our findings show that merchants thoroughly understand Twitter’s existing defenses against automated registration, and as a result can generate thousands of accounts with little disruption in availability or instability in pricing,” the paper reads. “We determine that merchants can provide thousands of accounts within 24 hours at a price of $0.02 – $0.10 per account.”

SPENDING MONEY TO MAKE MONEY

For example, to fulfill orders for fraudulent Twitter accounts, merchants typically pay third-party services to help solve those squiggly-letter CAPTCHA challenges. I’ve written here and here about these virtual sweatshops, which rely on low-paid workers in China, India and Eastern Europe who earn pennies per hour deciphering the puzzles.

topemailThe Twitter account sellers also must verify new accounts with unique email addresses, and they tend to rely on services that sell cheap, auto-created inboxes at HotmailYahoo and Mail.ru, the researchers found. “The failure of email confirmation as a barrier directly stems from pervasive account abuse tied to web mail providers,” the team wrote. “60 percent of the accounts were created with Hotmail, followed by yahoo.com and mail.ru.”

Bulk-created accounts at these Webmail providers are among the cheapest of the free email providers, probably because they lack additional account creation verification mechanisms required by competitors like Google, which relies on phone verification. Compare the prices at this bulk email merchant: 1,000 Yahoo accounts can be had for $10 (1 cent per account), and the same number Hotmail accounts go for $12. In contrast, it costs $200 to buy 1,000 Gmail accounts.

topcountriesFinally, the researchers discovered that Twitter account merchants very often spread their new account registrations across thousands of Internet addresses to avoid Twitter’s IP address blacklisting and throttling. They concluded that some of the larger account sellers have access to large botnets of hacked PCs that can be used as proxies during the registration process.

“Our analysis leads us to believe that account merchants either own or rent access to thousands of compromised hosts to evade IP defenses,” the researchers wrote.

Damon McCoy, an assistant professor of computer science at GMU and one of the authors of the study, said the top sources of the proxy IP addresses were computers in developing countries like India, Ukraine, Thailand, Mexico and Vietnam.  “These are countries where the price to buy installs [installations of malware that turns PCs into bots] is relatively low,” McCoy said.

Continue reading

Microsoft Patches Plug 23 Security Holes

August 13, 2013

Microsoft has issued security updates to fix at least 23 distinct vulnerabilities in its Windows operating systems and other software. Three of the patch bundles released today address flaws rated “critical,” meaning that malware or miscreants can use them to break into Windows PCs without any help from users.

crackedwinLeading the critical updates is a cumulative patch for Internet Explorer (MS13-059) that affects every version of the browser on nearly all supported versions of Windows. In its advisory, Microsoft warns it is highly likely that attackers will soon develop exploit code to attack the flaws addressed in this patch. Indeed, according to Ross Barrett, manager of security engineering at Rapid7, the IE patch addresses a vulnerability first demonstrated at the Pwn2Own contest at the CanSecWest conference in March of this year.

Another critical update, MS13-060, is a browse-and-get-owned font vulnerability that affects users on Windows XP and Server 2003.  The final critical patch, MS13-061, tackles several flaws in Microsoft Exchange that stem from a third-party component from Oracle called Outside In.

Continue reading

Simple Hack Threatens Outdated Joomla Sites

August 12, 2013

If you run a site powered by the Joomla content management system and haven’t yet applied a critical update for this software released less than two weeks ago, please take a moment to do that: A trivial exploit could let users inject malicious content into your site, turning it into a phishing or malware trap for visitors.

joomlaThe patch released on July 31, 2013 applies to Joomla 2.5.13 and earlier 2.5.x versions, as well as Joomla 3.1.4 and earlier 3.x versions. Joomla credits discovery of the bug to Web security firm Versafe, which says a simple exploit targeting the vulnerability is already in use. Joomla versions 2.5.14 and 3.1.5. fix a serious bug that allows unprivileged users to upload arbitrary .PHP files just by adding a “.” (period) to the end of PHP filenames.

For 2.5.x and 3.x versions of Joomla, it is possible for anyone with access to the media manager to upload and execute arbitrary code simply by appending a period to the end of the file name they would like to run. For sites powered by unsupported versions of Joomla (1.5.x, and a cursory Google search indicates that there are tens of thousands of these 1.5.x sites currently online), attackers do not even need to have an account on the Joomla server for this hack to work.

Continue reading

$1.5 million Cyberheist Ruins Escrow Firm

August 7, 2013

A $1.5 million cyberheist against a California escrow firm earlier this year has forced the company to close and lay off its entire staff. Meanwhile, the firm’s remaining money is in the hands of a court-appointed state receiver who is preparing for a lawsuit against the victim’s bank to recover the stolen funds.

casholeThe heist began in December 2012 with a roughly $432,215 fraudulent wire sent from the accounts of Huntington Beach, Calif. based Efficient Services Escrow Group to a bank in Moscow. In January, the attackers struck again, sending two more fraudulent wires totaling $1.1 million to accounts in the Heilongjiang Province of China, a northern region in China on the border with Russia.

This same province was the subject of a 2011 FBI alert on cyberheist activity. The FBI warned that cyber thieves had in the previous year alone stolen approximately $20 million from small to mid-sized businesses through fraudulent wire transfers sent to Chinese economic and trade companies.

Efficient Services and its bank were able to recover the wire to Russia, but the two wires to China totaling $1.1 million were long gone. Under California law, escrow and title companies are required to immediately report any lost funds. When Efficient reported the incident to state regulators, the California Department of Corporations gave the firm three days to come up with money to replace the stolen funds.

Three days later, with Efficient no closer to recovering the funds, the state stepped in and shut it down.

Up until the past few weeks, the firm’s remaining funds have been tied up in a conservatorship established by the state, effectively barring the company’s owners from accessing any of its money. In early July, the state appointed a receiver to help wind up the company’s finances.

The court-appointed receiver — Peter A. Davidson of Ervin Cohen & Jessup LLP in Beverly Hills — said he and the company are contemplating their options for recovering more of the lost funds from the bank — Irvine, Calif. based First Foundation.

“We’re exploring what choices we have to recover funds for those who had escrows and are owed money,” Davidson said. “We filed a claim with the insurance company and we’re looking at our options for possibly dealing with the bank.”

Davidson said the bank’s business customer logins were protected by a username, password and a dynamic token code, but that the one-time token wasn’t working at the time of the fraud.

First Foundation did not respond to requests for comment.

Efficient’s co-owner Daniel J. Crenshaw said the bank produced a report shortly after the heist concluding that the missing funds were stolen not in a cyberheist but instead embezzled by an employee of Efficient Services. Crenshaw said the bank later backed away from that claim, after the state appointed a local forensics expert to examine the controller’s computer; sure enough, they discovered that the system had been compromised by a remote access Trojan prior to the heist.

Continue reading