How The Syrian Electronic Army Tried to Hack Ira’s Presentation
As many people heard, the Syrian Electronic Army took exception to Ira Winkler’s RSA presentation disclosing their methods and how to prevent them. RSA Conference posted the video of the presentation. In response, the SEA apparently hacked the RSA Conference website, rsaconference.com. Here are the results of our investigation into how this occurred.
While the attack may seem advanced, it is a traditional, low tech attack by the SEA. While it demonstrates persistence, it does not demonstrate deep technical proficiency. To be clear, the RSA Conference site itself was not hacked. Additionally, Lucky Orange, which was essentially the attack vector, was also not hacked. It was a phishing attack against the staff of the Lucky Orange’s DNS hosting company, which fell victim to the attack. Note: Lucky Orange has since changed the company performing the DNS hosting.
How the “Hack” Occurred”
- The SEA figured out the DNS provider, however Lucky Orange had their DNS locked.
- The SEA searched LinkedIn and other resources, and found names of current and former employees of the DNS provider, and sent spearphishing messages to those individuals. They assumed the standard format of the email addresses. The spear phishing messages appeared to be from the CEO and claimed to contain a link to a BBC news story relevant to the company. Users who clicked on the message were prompted to log into their system, which was a user id and password capture screen.
- An account executive (AE) fell victim to the spear phishing attack. The attackers used the captured AE credentials to logon to their customer account management system, and then reset the Lucky Orange logon credentials. They then logged on to the control panel as the Lucky Orange staff.
- Visitors to any website that also used the same analytics set from Lucky Orange, such as Memorybook.com, also received the image.
Yes, it was that simple and basic. It does demonstrate the important of ensuring the security of your third party providers. More analysis later.