Pro-Assad hacktivists steal Tango chat app's user details and deletes related article from Daily Dot media site despite its knowledge of imminent attack.

Mathew J. Schwartz, Contributor

July 23, 2013

4 Min Read

The Syrian Electronic Army: 9 Things We Know

The Syrian Electronic Army: 9 Things We Know


(click image for larger view)
The Syrian Electronic Army: 9 Things We Know

The Syrian Electronic Army (SEA), a band of hackers loyal to Syrian president Bashar al-Assad, claims to have stolen a database filled with details for users of the Tango video and voice chat app.

According to a "Tango app website/databases hacked" notice posted to the SEA's site Friday, the group said it obtained "more than 1.5 TB of the daily-backups of the servers [sic] network," as well as four databases containing "millions of the app users phone numbers and contacts and their emails."

"Much of the information in the databases that were downloaded will be delivered to the Syrian government," the group promised.

[ Beware suspect emails. Read Phishing Attackers Diversify, Target Facebook Credentials. ]

Software developer Tango confirmed Saturday that its systems had been breached, although it didn't name SEA as the culprit. "Tango experienced a cyber intrusion that resulted in unauthorized access to some data. We are working on increasing our security systems," read a Saturday tweet from Tango's official Twitter account. "We sincerely apologize for any inconvenience this breach may have caused our members."

Tango's app, which offers free calls for users, is similar to Skype and WhatsApp, and works on Android, iOS and Windows Phone devices, as well as Windows and Mac OS X. Launched in 2009, the app now counts over 120 million users across 210 countries, and works in 39 languages.

In the wake of the breach, Tango reportedly took its website offline and redirected users to its Facebook page. As of Tuesday, its website was again working, but made no mention of the data breach.

The SEA appeared to have gained access to Tango's systems by exploiting a vulnerability in an outdated version of its WordPress content management system, reported E Hacking News, which both broke the story and then proceeded to give Tango related information security tips. Although the current version of WordPress is 3.5.2 -- and was released last month -- according to a screenshot published by the SEA, Tango was using version 3.2.1 of the software, which was released back in July 2011.

But the SEA didn't stop there. Following the attacks, news site The Daily Dot published a story about the Tango hack Monday, illustrating it with a caricature of Assad from political caricaturist "DonkeyHotey". The SEA took offense at the image and sounded a related warning to The Daily Dot. "Dear @dailydot, please remove the attached picture in this article ... or we will do something you will not like it," the group tweeted Monday.

When the publication declined to comply, the SEA apparently seized control of at least one staffer's Gmail account, then used those credentials to access the publication's online control panel and excise the offending article, including the image. "This time we deleted that article, the second time we will delete all your website," the hackers tweeted Tuesday.

The SEA also leaked a series of Gmail messages between the publications' staffers, asking what should be done about a threat that "came from a smaller Twitter account." In reply, a reporter reminded staffers "to not use your work username/password on a shady-looking site," saying they needed to safeguard their Gmail credentials. "Fortunately, we've been covering the SEA, and we know their usual tactics. It's really, really basic," said the reporter.

Basic or no, at least one staffer apparently fell for an SEA phishing attack. Tuesday, the SEA posted a picture of what it said was "the stupid @dailydot administration panel," but blamed the publication for forcing its hand. "We said 'please' it's your fault," tweeted the hackers.

The SEA has regularly attacked news outlets that it sees as espousing a negative view of the current Syrian regime, which is led by President Bashar al-Assad and the Ba'ath Party. The group's typical modus operandi involves seizing a target's Twitter feeds and using them to broadcast hoax posts. Targets have ranged from the Guardian and BBC to the AP and satire site The Onion.

To date, Syria's two-year civil war has claimed an estimated 93,000 lives.

About the Author(s)

Mathew J. Schwartz

Contributor

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights