Attacks/Breaches
7/30/2013
12:45 PM
50%
50%

Syrian Electronic Army Hacks White House Media Team

Hackers fail to take over White House website, and then got their Twitter accounts suspended for boasting about subsequent Thomson Reuters takeover.

The Syrian Electronic Army: 9 Things We Know
(click image for larger view)
The Syrian Electronic Army: 9 Things We Know
Three White House social media staffers had their personal Gmail accounts compromised by members of the Syrian Electronic Army (SEA).

The accounts were compromised via a phishing attack that used emails disguised as legitimate communications from the BBC and CNN, reported Nextgov. Instead, the emails included links to fake -- but real-looking -- Google and Twitter pages, which requested that the recipients enter their log-in details. The attackers then used the stolen credentials to launch phishing attacks on other White House staffers, as recently as Sunday night.

According to one security expert, finding the names and contact details for staffers in charge of social media operations at the White House would have been a relatively simple endeavor. "I imagine that the names and email addresses of people at the White House in digital media or anything related to media are easy to find since their job involves public access," Jeffrey Carr, a cyberwarfare specialist at consultancy Taia Global, told Nextgov. "A list of targets would be created from open sources and that's who the phishing email would be delivered to."

[ Want more on well-known hacking groups? Read Anonymous: 10 Things We Have Learned In 2013. ]

The SEA told E Hacking News that the Gmail phishing attack was meant to be a stepping stone to taking over the public-facing White House website. But the hacking group, which backs Syrian president Bashar al-Assad, failed in that bid.

Instead, it released -- no longer working -- passwords for the official White House Twitter feed, as well as a username and password for the White House Hootsuite account. "You were lucky this time," read a tweet from the SEA.

But the hackers claimed success Monday after taking over the Twitter feed for Thomson Reuters and posting multiple fake tweets, including links to pro-Assad cartoons, some of a violent nature, which were later reproduced by BuzzFeed. After the takeover was discovered, the account remained suspended until early Tuesday.

A Thomson Reuters spokesman confirmed the breach to The Wall Street Journal. "Earlier today @thomsonreuters was hacked," he said in a statement emailed late Monday. "In this time, unauthorized individuals have posted fabricated tweets of which Thomson Reuters is not the source. The account has been suspended and is currently under investigation." But the spokesman declined to address how the business had been hacked, or whether it was using Twitter's two-factor authentication feature.

The SEA previously invoked the White House after taking over an account run by The Associated Press. The group then issued this fake tweet: "Breaking: Two Explosions in the White House and Barack Obama is injured." That takeover, which caused a short-term stock market selloff, lead to increased demands on Twitter to introduce a two-factor authentication system, which it released about a month later, albeit to mixed reviews.

Meanwhile, the SEA boasted Tuesday on its website that its 12th Twitter account had been suspended, following the account having been used to detail the group's takeover of Thomson Reuters. The accounts of multiple group members, including "The3Pr0," were also suspended.

From a new account, The3Pr0 issued a warning against further takedowns: "Dear @Twitter, If you suspend the #SEA account again, you will see the [most] massive Twitter accounts hacks you ever see!"

The White House phishing attack aside, the SEA typically targets news organizations it sees as promoting a negative view of the current Syrian regime. The group's takeover victims have included Twitter accounts run by a number of news organizations, including not just the AP but also NPR, CBS News, the BBC and satire site The Onion.

Syrian president Assad made his own social media news last week for extending his propaganda efforts to Instagram, where a new account has been set up to promote his presidency. The photo-sharing platform showed him visiting sick people in the hospital and wiping tears from children's faces.

The Syrian civil war, which began more than two years ago, has so far claimed an estimated 93,000 lives.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-1793
Published: 2014-12-25
rendering/svg/RenderSVGResourceFilter.cpp in WebCore in WebKit in Google Chrome before 11.0.696.65 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted SVG document that leads to a "stale pointer."

CVE-2011-1794
Published: 2014-12-25
Integer overflow in the FilterEffect::copyImageBytes function in platform/graphics/filters/FilterEffect.cpp in the SVG filter implementation in WebCore in WebKit in Google Chrome before 11.0.696.65 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified ...

CVE-2011-1795
Published: 2014-12-25
Integer underflow in the HTMLFormElement::removeFormElement function in html/HTMLFormElement.cpp in WebCore in WebKit in Google Chrome before 11.0.696.65 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted HTML document con...

CVE-2011-1796
Published: 2014-12-25
Use-after-free vulnerability in the FrameView::calculateScrollbarModesForLayout function in page/FrameView.cpp in WebCore in WebKit in Google Chrome before 11.0.696.65 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted JavaS...

CVE-2011-1798
Published: 2014-12-25
rendering/svg/RenderSVGText.cpp in WebCore in WebKit in Google Chrome before 11.0.696.65 does not properly perform a cast of an unspecified variable during an attempt to handle a block child, which allows remote attackers to cause a denial of service (application crash) or possibly have unknown othe...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.