Syrian Electronic Army hacks Forbes website and twitter accounts

Forbes, american business magazine, is appeared to be the latest victim of the Syrian Electronic Army.  The group has managed to post articles entitled "hacked by syrian electronic army".

The group is experts in phishing attack -targeting employees of the organization with a fake emails.  We believe hackers used the same method for compromising Forbes' employees also.

It appears they have gained admin access to the wordpress panel that allowed them to post stories.

The group appears to have compromised one twitter account of forbes (@forbestech) and two twitter accounts(@thealexknapp, @samsharf) belong to their employees.  At the time of writing, Samantha sharf account still shows the hackers tweet.

The hackers said the reason for hacking forbes is because the publication posted  many articles against syrian electronic army, with muchnhate for syria.

Target data breach started with a Spear phishing attack targeting HVAC firm

A latest information on Target data breach published by security blogger Brian Krebs shows the power of Social Engineering attacks. 

It appears everything began from a spear phishing attack in which employees of HVAC company Fazio Mechanical Services targeted with an email containing a piece of malware.

Sources have told Krebs that the malware used in the attack is Citadel- a notorious banking trojan capable of stealing login credentials and other information.  However, Krebs isn't able to confirm the information.

The reason why the company didn't get chance to identify the malware is because it is using a free version of Malwarebytes Anti-malware to protect is internal systems.

Malwarebytes is one of good tool capable of scanning and removing threats from infected machines.  However, unlike the Pro version(just $25), it doesn't offer any real-time protection.

Furthermore, the free version is meant for individuals not for companies, also the license for free version prohibits corporate use. 

Hacker manipulates Paypal and Godaddy to extort a twitter account worth $50,000


We aware that one of the powerful attack method in the hacking world is Social Engineering.  Here is a story how social engineering attack helped a hacker to extort a twitter account worth $50,000.

Naoki Hiroshima, an app developer, registered his one letter handle @N in 2007.  He says since he registered the account, he faced several troubles.  One letter twitter handles are rare, worth a lot of money.  

He says that even he got an offer up to $50,000 for his twitter handle.  However, he declined to sell it.  But, not all attempts to obtain the account have been friendly.  Hackers have often attempted to steal his account by sending phishing emails.

But this time, Naoki got bad luck.  A Hacker managed to compromise his website with social engineering attack.  The main target of the hacker is the twitter handle.  He threatens Naoki that he will never his domain, if he fails to hand over his twitter handle.  So, Naoki finally agreed to give the twitter handle to the hacker.

After get access to the @N, hacker explained how he was able to compromise his website and provided few security tips to prevent himself from being victim in future.

Manipulated employees at Paypal and Godaddy:
The attack started from Paypal.  The hacker called up Paypal and social engineered an employee into handing over the last four digits of Naoki's card.

He then called up Godaddy and said he lost his card data but he remembers the last four number.  Godaddy let the attacker to guess the first two digits of the card.  He successfully guessed the digits and has been given access to the account.

Naoki was using email ID hosted in his website for the Twitter account.  The attacker attempted to reset the twitter password.  Meanwhile, Naoki realized the attack and immediately changed the email id of Twitter to gmail.  So, the attacker was not able to get access to twitter account. 

He also attempt to trick the Twitter into handing over the account but Twitter asked the attacker to give more info.  So, he dropped the plan and blackmailed the Naoki to give his handle.

As the domain's registrant details have been changed and Godaddy is not helping Naoki, he finally agreed to exchange the twitter handle for his godaddy account.

Naoki said that he is disappointed with the Godaddy & paypal and he is planning to leave them as soon as possible.

"Stupid companies may give out your personal information (like part of your credit card number) to the wrong person. Some of those companies are still employing the unacceptable practice of verifying you with the last some digits of your credit card. " Naoki said in his blog.

Currently, the attacker has control of the twitter handle @N.  Naoki is using N_is_Stolen for his account.

Microsoft confirms phishing attack compromised the employee's email account

Social Engineering attacks is one of the most successful attack method- Even the system which is claimed to be 100% secure can be hacked, if an attacker is able to manipulate one employee.

We recently covered a news about the recent Microsoft's twitter account hack in which Syrian hackers compromised the email accounts of Microsoft's employees through a phishing attack.

Microsoft has finally admitted that the Syrian Electronic Army has hacked into several Microsoft employee email accounts via phishing attack. 

"A social engineering cyberattack method known as phishing resulted in a small number of Microsoft employee social media and email accounts being impacted." Microsoft spokesperson said in an email sent to Geekwire.

Microsoft said that the compromised accounts have been recovered.  They also claimed that no customer info stolen in the attak. 

"We continue to take a number of actions to protect our employees and accounts against this industry-wide issue."

8 Telegraph Twitter accounts and Facebook hacked by Syrian Electronic Army

The Daily Telegraph , UK based international news portal, is the latest victim to the social media hacks of Syrian Hacker group. Earlier today, the Syrian Electronic Army has hijacked 8 Twitter accounts Telegraph news and facebook account.

As usual hackers started to tweet from the hacked account. "#FSA terrorits executed innocent citizens: on.ft.com/10VkxZk #SEA Syria" one of the tweets posted by the group reads.




The list of hacked accounts:
  1. https://twitter.com/TelegraphNews
  2. https://twitter.com/TeleTheatre
  3. https://twitter.com/TelegraphOpera
  4. https://twitter.com/TelegraphArt
  5. https://twitter.com/TelegraphFilm
  6. https://twitter.com/Tele_Comedy
  7. https://twitter.com/TelegraphSport
  8. https://twitter.com/TelegraphBooks

In addition to the twitter account hack, they also hijacked the official Facebook Page : https://www.facebook.com/TELEGRAPH.CO.UK

"We are aware that some of our accounts have been compromised and are working to resolve the issue. Many thanks for your patience." The telegraph responded to the hack.

Phishing Scam alert: Samantha very hot scene from Telugu Movie

The recent report from Symantec shows that, even Cyber criminals became a fan of Telugu actresses Kajal agarwal and Samantha.  Cybercriminals started to use these actresses' name in their phishing campaign.

Few days after symantec spotted a phishing campaign with the title "Samantha & Kajal very hot song from Brindavanam Telugu movie", they spotted another phishing campaign that uses their name.

"the phishing site displayed a picture from a captivating musical number from the movie 'Saitan'." Symantec report reads. "The phishing site was titled, 'Samantha & Kajal Very Hot Song' but in fact, these celebrities were not a part of this movie. "


The phishing page requests the internauts who visit the page to log in for watching the video.  When a user give the login credentials, they will be redirected to the legitimate movie website.

" If users fell victim to the phishing site by entering their login credentials, phishers would have successfully stolen their information for identity theft purposes." researcher says.

Celebrities Hacked and Doxed ! (Exclusive:Hack analysis)



The private details of many Celebrity's have  been leaked on a website :" http://www.exposed.su/ (Currently Going in and out of service)"

This is the list of celebrities exposed: Michelle Obama, Kim KardashianJoe BidenRobert Mueller (FBI Director)Hillary ClintonEric Holder (U.S. Attorney General)Charlie Beck (LAPD Chief)Mel GibsonAshton KutcherJay ZBeyonceParis Hilton,Britney SpearsSarah PalinHulk HoganDonald TrumpArnold SchwarzeneggerAl GoreKanye WestKris JennerStacia Hylton (U.S. Marshals Director)Mitt RomneyTiger Woods ,Sandusky, Chris Christie, Bill Gates  

When this site went viral online and gained lots of media attention the FBI got involved and is now investigating.

Data seems to be from credit reporting agency's TransUnion, Experian and Equifax. All of them admitted they were compromised.

TransUnion, Equifax and Experian have a common website called annualcreditreport.com, where customers can get a free copy of their credit report by entering personal information – such as address, social security number and date of birth –, and by answering a few multiple-choice questions.

“What it appears happened is that personal identifiable information was evidently accessed or somehow obtained by the fraudsters who therefore were able to go into annualcreditreport.com and get some pieces of information on some individuals,” Equifax representatives told Ars Technica.

Here is an exclusive analysis of the site:

The website is running behind Cloudflare (CDN). Using Cloudflare has a lot of advantages .

  • It hides the actual IP address of the site thus it will slow down attempts to trace and take down the original server.
  • Keeps the site content on cache even if it is taken down by DDOS etc.  
  • Even a small server will be able to handle lots of traffic.
Note: Cloudflare was also used by the infamous "Lulzsec" before they were shutdown

The hacker seems to be a fan of the TV series "Dexter" which is about "A likeable Miami police forensics expert who moonlights as a serial killer of criminals who he believes have escaped justice" .

First the Quote on the main page "If you believe that God makes miracles, you have to wonder if Satan has a few up his sleeve"

It is from the same TV show (Episode 12: "The British Invasion")

Second the background music embedded in the site links to : (Music from the TV show) https://www.youtube.com/watch?v=e2xxizpHuoo

The website also does not contain any images hosted within itself . All the images are taken from other sites that have already hosted them.

The use of  .su domain seems be an diversion to try to shift the attention to Russian hackers.

Whois data:

domain:        EXPOSED.SU
nserver:       dave.ns.cloudflare.com.
nserver:       fay.ns.cloudflare.com.
state:         REGISTERED, DELEGATED
person:        Private Person
e-mail:        exposed@allperson.ru
registrar:     REGTIME-REG-FID
created:       2013.03.06
paid-till:      2014.03.06
free-date:     2014.04.08
source:        TCI

The some of the pages also have youtube videos embedded in them (Most of them have something to do with the person exposed in the page)

Michelle Obama -- https://www.youtube.com/watch?v=rhN7SG-H-3k

Robert Mueller -- https://www.youtube.com/watch?v=ANeWYnArWXk

Charles Beck    -- https://www.youtube.com/watch?v=1M8vei3L0L8

Paris Hilton      -- https://www.youtube.com/watch?v=srP5twK-9Dw

Britney Spears  -- https://www.youtube.com/watch?v=kHmvkRoEowc

Donald Trump  -- https://www.youtube.com/watch?v=WD729yIKskU

Arnold Schwarzenegger -- (Broken Link in site) 

Mitt Romey -- (Broken Link in site) https://www.youtube.com/watch?v=DrR4G5HHPxY (recovered)

Though the attack is very well planned the website itself seems be done in a hurry. And there seems to be no "pattern" to the hacks except that all of the victims are celebrities.

Note: Will update this post if I find anything else.

Browser Event Hijacking allows hacker to steal your password

Browser Event Hijacking

Be careful what you type on your web browser.  Hacker can hijack search command in browser and steal your password or any other sensitive data by social engineering attack.

The hacking method has been possible for years , but now two POCs has been published that demonstrate how an attacker can lure victims to give their password.

Browser Event Hijacking:

The hacker can hijack the browser event by using 'preventDefault' method on JavaScript, that cancels an operation while allowing all remaining handlers for the event to be executed. For Eg: if you press Ctrl+F , hackers can display their own search box instead of the browser search box.

The hack was initially posted here:
http://labs.neohapsis.com/2012/11/14/browser-event-hijacking/

A simple code that hijacks the browser event and steal password :
$(window).keydown(function(evt){
                if((evt.which == "70" && (evt.metaKey || evt.ctrlKey))){
                        console.log("STRG+F");
                        evt.preventDefault();
                        /* display fake search */
                        $("#searchbox").slideDown(110);
                        $('#search').focus();



Then another researcher rebuild the POC with a fake list of leaked passwords. So someone just presses CTRL+F in his browser and types his password to look if it is leaked ,become victim.

The POC :
http://h43z.koding.com/blog/leaked.html

If you search for any keywords in the page, it will lure you to believe there is password with your search string.

South Carolina Department of Revenue hacked by Social Engineering attack


social engineering attack scdor hack

End of the last month, we reported that the South Carolina Department of Revenue website breached and hackers steal sensitive information. The Cyber crime investigation reveals the reason behind the security breach.

After the Security breach, the state hired an information security firm to investigate the intrusion.

According to the report , the hacker tricked a user in the Department of Revenue's system into opening a malicious file that allowed the hacker to access the system.

Also the investigation discovered that the Department of Revenue’s login system for the computer also did not have the strongest protections available to verify users trying to get in.

By using the stolen credential , the hacker then remotely accessed the revenue department’s database and stole the information.

Hackers hijack Gizmodo Reporter's iCloud account via Social Engineering attack


Yesterday, we report that Gizmodo's twitter account hijacked after hackers compromised the iCloud account of Mat Honan, a former Gizmodo employee. At the time it was assumed that the hackers had used bruteforcing attack ,  but it turns out that Apple gave the hackers access to his iCloud account.

"I know how it was done now. Confirmed with both the hacker and Apple. It wasn’t password related. They got in via Apple tech support and some clever social engineering that let them bypass security questions."Mat Honan said in the blog post.

"Apple has my Macbook and is trying to recover the data. I’m back in all my accounts that I know I was locked out of. Still trying to figure out where else they were. "

Social engineering” is a fancy word for tricking the person on the other end to do what you want by making them believe that they are you.

Even if you have Strong passwords , hackers can convince the tech support person that they are you, they can walk past all that security. Nothing can protect you from this kind of targeted attack. 

UGNazi hacked WHMCS by Social Engineering attack

UGNazi hacke group have manage to break into the WHMCS, a company that provides billing and customer support tech to many web hosts . They leaked data and deleted all the files from the firm’s server.

The data leak contains 500,000 records including customer credit card details, username, passwords and IP addresses.

According to report, The hackers tricked WHMCS's own hosting firm into handing over admin credentials to its servers.

UGNazi also gained access to WHMCS's Twitter account, which it used to publicise a series of posts on Pastebin that contained links to locations from which the billing firm's customer records and other sensitive data might be downloaded.

"Following an initial investigation I can report that what occurred today was the result of a social engineering attack. The person was able to impersonate myself with our web hosting company, and provide correct answers to their verification questions," Matt Pugh, WHMCS founder and lead developer explained.

“And thereby gain access to our client account with the host, and ultimately change the email and then request a mailing of the access details. This means that there was no actual hacking of our server. They were ultimately given the access details.”

Hacktivists justified the attack by making unsubstantiated accusations that WHMCS offered services to shady characters, via an update to WHMCS's compromised Twitter feed:

Many websites use WHMCS for scams. You ignored our warnings. We spoke louder. We are watching; and will continue to be watching. #UGNazi

After the incident, WHMCS reported the breach on its systems to the FBI.

Fraudster conned Citibank to get Paul Allen's Debit Card



FBI charged an alleged Army deserter 'Brandon Price' of Pittsburgh, Pennsylvania
with the  bank fraud in connection to the social engineered hijacking of Microsoft co-founder Paul Allen's debit card.

According to the Wired report, the suspect made a phone call to Citibank on January, impersonated Allen and request bank to change the address on his account. Later, he called the Customer service department of Citibank and stated that he had misplaced his debit card at his residence ,but didn't want to report it stolen. After Citibank send him a new debit card via UPS.

It just reminds me one of 'White Collar' TV series.

After UPS delivered it, the suspect made a payment $658 to his Armed Forces Bank loan account in Fort Leavenworth, Kansas. 

He also attempted to perform $15,000 transaction through Western Union and the following day, tried to make a $278 purchase from a Gamestop store in Pittsburgh, the authorities said. Those two transactions did not go through.

Hackers steal millions of pounds from Xbox Live customers using Phishing Attack


CyberCriminals used phishing attack on Xbxo Live Accounts and stolen millions of pounds. The average loss to gamers in 35 countries hit by the scam is around £100, but many lost £200.

Attackers send mail to Xbox Live Customers with Phishing page that claims "offering free Microsoft points that can be used to buy games." The gamers entered the personal info without knowing that it was phishing page. These criminals take small amounts from credit cards over several weeks so that victims can not detect theft. Other victims lost money when passwords were accessed.

The victims only realised when their online profile became "locked out" , meaning someone else had used it.

Microsoft confirmed there had been no breach in the security of Xbox Live itself. Microsoft is investigating and says a small percentage of users are affected. Microsoft spokesman said:
"We take the security of the Xbox Live service seriously and work to improve it against evolving threats.

Very occasionally, though, we are contacted by members regarding alleged unauthorized access to their accounts by outside individuals.

We work closely with impacted members directly to resolve any unauthorized changes to their accounts and, as always, highly recommend all Xbox Live users follow our account security guidance in order to protect their account details."


New Facebook scam leads to Youtube Phishing page

Microsoft spotted a spam that leads to Youtube Phishing page, which suggest to update browser with a bogus Active object(setup.exe. Of course, it is malware, detected as Backdoor:Win32/Caphaw.A.


This malware installs an FTP server, a proxy server, and a keylogger on the computer. It also has built-in remote desktop functionality based on the open source VNC project.
One infected user reported that money had been transferred from his bank account by an unknown party.

 The backdoor "calls home" to domains such as commonworld*****.cc or web****es.cc to get the data that it posts on the friends' Facebook walls. Its main module, in the meantime, is hosted on ****youtube.com.

If you see these type of spams, you can mark the post as spam to help prevent others from downloading the backdoor;