How The Syrian Electronic Army Hacked Us: A Detailed Timeline

Feb 20 2014, 9:42am CST | by

How The Syrian Electronic Army Hacked Us: A Detailed Timeline
Photo Credit: Forbes Apple

Early Thursday morning, a Forbes senior executive was woken up by a call from her assistant, saying that she’d be working from home due to a forecast predicting the snowiest day of the year. When she ended the call, the executive saw on her Blackberry that she had just received a bluntly worded email that seemed to have been sent by a reporter at Vice Media, asking her to comment on a Reuters story linked in the message.

Any other time, she says she would have waited to read the linked story later at the Forbes office. But with the sale of the 96-year-old media company pending, she was on the alert for news. Groggily stepping out of bed, she grabbed her iPad, opened the email in her Forbes webmail page through a shortcut on the device’s homepage and tapped the emailed link.

In her half-asleep state, she was prompted for her webmail credentials and entered them, thinking her access to the page had timed out. When the link led to a broken url on Reuters’ website, she got dressed and began her snowy commute from Brooklyn to Manhattan without a second thought. “It was so insidious,” she says. “I didn’t know I had been hacked for another two hours.”

In fact, the phishing email had set in motion a two-day cat-and-mouse game with Syrian Electronic Army (SEA) hackers who would deface the Forbes website and backend publishing platform, attempt to post market-moving news, steal a million registered users’ credentials, and briefly offer them for sale before leaking the data online.

Compared with the Chinese attack that penetrated the New York Times in 2012 or  the cybercriminal theft of millions of credit card numbers from Target late last year, the SEA attack of Forbes doesn’t seem to have been technically complex. But the hackers were nonetheless clever and persistent enough to stay a step ahead of the media company’s security measures. A week later, Forbes staff have only just come out of a partial email and publishing lockdown designed to prevent the attackers from breaching the site again and limit the damage if they do regain access.

Forbes’ chief product officer Lewis Dvorkin has already shared some details of the attack along with his thoughts on the incident. On Wednesday morning, users were again allowed to log in to the Forbes site and required to choose new, stronger passwords.

But in the interest of transparency–and out of a sense that we should subject ourselves to the same journalistic scrutiny as the subjects of our stories–fellow reporter Kashmir Hill and I have assembled a timeline based on our experience of the hack, as well as interviews with those staffers who were willing to speak with us.

Here’s what we’ve learned, with approximate times marked:

Thursday, 6:15am: A Forbes senior executive received a phishing email from a compromised Vice Media email account with a link to a fake Reuters story about Forbes. The link led to a spoofed webmail login where she shared her email credentials. (I reached out to Vice to ask about the possible compromise of the company’s email, but didn’t get a response.)

7:45am: The senior executive’s hacked account was used to send a second round of phishing emails to Forbes staffers, again asking them to check out a supposed news story about Forbes. A Forbes editorial staffer working from home who had disregarded the earlier, more suspicious-looking phishing attempt was duped by this second round of emails. “The imprimatur of [the senior executive] suggested something was actually going on here,” he says. “I’ve been kicking myself black and blue over this.”

The editorial staffer, who had “super-administrator” privileges on Forbes’ WordPress publishing platform, entered his email credentials into a fake webmail login page. When the link took him to an old NBC News story, he realized he’d been phished and alerted the Forbes IT department, who reset his email credentials.

8:15am: A Forbes IT administrator sent out a warning to staffers about the phishing attempts.

10:00am: A financial reporter fell for a stealthier version of the phishing attempt. As he describes it, he clicked on the link in the Vice phishing email but didn’t enter his email credentials. When he returned to WordPress to continue blogging, however, he was prompted again to log in again. Two new posts appeared on his blog almost immediately. One read, “BREAKING: US Treasury declares all foreign T-bills void. Yellen to hold a press conference in 15 minutes,” and another, “Yellen to press: ‘We can no longer tolerate China’s currency manipulation.’”

When we ran this series of events by web hacking expert and Whitehat Security founder Jeremiah Grossman, he speculated that the phishing email link performed an attack known as a Cross-Site Request Forgery that hijacked his browser to post the stories. Forbes staff say now that they haven’t ruled out the possibility that malware may have also been installed on his machine, though Grossman says he doubts this is the case.

In less than five minutes, an editor spotted the fake news stories and took them down.

10:15am: The Forbes operations staff decided to lock users out of WordPress until they could address the compromise of the site. “We realized that this had escalated and become a real problem,” says Forbes chief operations officer Mike Federle. “We jumped into code red.”/>/>

Over the next hours, they reset the credentials of all Forbes users with super-administrator privileges along with any other users who said they’d fallen for the phishing scheme, notifying them of their new credentials one-by-one in person or over the phone to avoid using email after the previous phishing schemes.

6:00pm: The site was reopened to users.

7:00pm: The hackers changed a headline on social media editor Alex Knapp’s blog page to “The Syrian Electronic Army Was Here.” Although the Syrian Electronic Army later wrote on their Twitter feed that their entire attack could be blamed on Knapp, this seems to have been misdirection. The defacement of his page was performed using the same editorial staffer’s super-administrator account that had been first compromised that morning. In the short time before his email credentials were changed by the Forbes IT staff, the hackers had gained access to the editorial staffer’s high-privilege WordPress account by exploiting WordPress’s “forgot password” function and resetting his publishing account password from his compromised email inbox.

In fact, Forbes staff now believe the hackers may have used their initial access to the super-admin WordPress account to change both the email address and the social networking accounts–such as Linkedin, Twitter, Google+, and Facebook–associated with it. So despite the editorial staffer’s WordPress credentials being changed earlier in the day, they were able to quickly regain access to the account by again triggering the “forgot password” function and accessing the reset email sent to their own account.

7:10pm: The site was again locked down to prevent further compromise. After discovering that the hackers had changed the email addresses associated with compromised users’ WordPress accounts, Forbes staff changed back to the users’ addresses.

Midnight: The site was reopened to users.

Friday, sometime between 12:30 and 3:30am: The hackers again accessed the same editor’s super-administrator account on WordPress, possibly taking advantage of his altered social logins. Though Forbes staffers had fixed the email address associated with the account, they say they may not have changed the social accounts connected with it.

3:30am The hackers used the editor’s account to deface the blog pages of six more Forbes staffers–including mine–with the phrase “Hacked By The Syrian Electronic Army.” Some of these staffers had linked their Twitter accounts with their WordPress accounts, so that the SEA message also appeared on their personal Twitter feeds.

3:40am: The site was locked down for a third time.

7:30am: After social logins were disabled, the site reopened.

8:00am: Using a method that’s still not clear, the hackers regained access yet again to the editor’s account–possibly by exploiting a vulnerability in a WordPress plugin that allowed them to insert malicious code into the site. They changed the Forbes WordPress installation theme, inserting their own logos and a Syrian flag designed from ones and zeroes. At some point, they also inserted code into the top post linked on the site’s homepage so that it redirected thousands of users to the Syrian Electronic Army’s Twitter feed.

11:30am: Forbes administrators were forwarded an email from a hacker named Ethical Spectrum that had been sent to seemingly random staffers earlier in the day. The message said he or she had stolen the entire Forbes database of registered usernames, emails, and passwords, and went on to demand what may have been a ransom. Just how the data was stolen isn’t exactly clear, but WordPress does allow users with super-administrator privileges to export the full user database.

The message from Ethical Spectrum, who also took credit for an attack on video game company Supercell earlier this month, read as follows:

Hello Forbes. I found gabs in your servers thats allowed me to download all your databases. i can help you to avoid this again. but i want something in return like fees. the proof that i hacked your databases is this screenshot. its only 1 million user. NOTE: I have some roles. ROLE NUMBER 1. Do not delay in reply.

It was followed by a screenshot showing a few users’ credentials and passwords, which WordPress had cryptographically hashed to make them unreadable.

At this point, Forbes administrators locked down the site again and called the FBI.

When we contacted Ethical Spectrum for comment, he claimed he wasn’t associated with the Syrian Electronic Army, and had only learned of the attack from the Syrian Electronic Army’s Facebook page.

12:35pm: The Syrian Electronic Army announced on its Twitter feed that it had hacked Forbes. It later wrote that it had gained access to the million-user database, and asked for bids from possible buyers before declaring that it would release the hacked usernames, emails and hashed passwords for free. It published the database Friday night./>/>

The Syrian Electronic Army may not be finished with Forbes just yet. On Twitter, it claims to have “one last thing” to reveal from the attack.

Forbes’ staff, meanwhile, spent the last five days in recovery mode, enlisting an incident response firm to suss out and patch any of the site’s remaining entry points for the hackers.

In future posts, we plan to provide updates on Forbes’ response to the attack, how it changes our security practices, and the lessons it holds for the company as well as for other potential hacking targets. Forbes is hardly the first media outlet to be hit by the Syrian Electronic Army. It likely won’t be the last.

With reporting contributed by Kashmir Hill.

Source: Forbes Apple

 
 

Don't miss ...

 

<a href="/latest_stories/all/all/30" rel="author">Forbes</a>
Forbes is among the most trusted resources for the world's business and investment leaders, providing them the uncompromising commentary, concise analysis, relevant tools and real-time reporting they need to succeed at work, profit from investing and have fun with the rewards of winning.

 

blog comments powered by Disqus

Latest stories

PayPal Willing to Work with Apple Pay
PayPal Willing to Work with Apple Pay
John Donahoe indicates his willingness to cooperate with Apple Pay
 
 
Apple Declares to Release the iPhone 6 and iPhone 6 Plus in China on October 17
Apple Declares to Release the iPhone 6 and iPhone 6 Plus in China on October 17
Apple says that the launch of the new iPhones in China will take place on October 17
 
 
Samsung Reportedly Manufacturing iPad Air 2 and 12.9-Inch “iPad Pro” Panels
Samsung Reportedly Manufacturing iPad Air 2 and 12.9-Inch “iPad Pro” Panels
The Korean giant will continue to work with the Cupertino company for producing panels for the next iPads
 
 
Each Unit of Apples Watch’s AMOLED Screen Reportedly Costs $27.41
Each Unit of Apple Watch’s AMOLED Screen Reportedly Costs $27.41
The cost of the AMOLED display of the new smartwatch is pretty high
 
 
 

Latest from the Network

Miley Cyrus shares naked selfie, again
London, Oct 1 (IANS) It seems Singer Miley Cyrus is obsessed with posting naked selfies on the photo-sharing website Instagram. This time she has shared an intimate photograph of herself in the bath. The 21-year-old...
Read more on Celebrity Balla
 
US slaps sanctions on two Pakistan terror groups for helping LeT
Washington, Oct 1 (IANS) The US has targeted two Pakistan-based terrorist organisations and frozen the assets of their leaders for providing financial support to Lashkar-e -Taeba (LeT) held responsible for the Nov 2008...
Read more on Politics Balla
 
India, US commit to hit terrorist havens
Washington, Oct 1 (IANS) In a significant development, India and the US have committed to make joint and concerted efforts to dismantle terrorist safe havens, including four Pakistan-based groups Lashkar-e-Taiba, Jaish...
Read more on Politics Balla
 
US-led anti-IS coalition illegitimate: Iran
Damascus, Oct 1 (IANS) The US-led anti-Islamic State (IS) coalition is "illegitimate", said a top Iranian official visiting Syria Tuesday. The US-led international coalition is "amputated and doesn't have...
Read more on Politics Balla
 
'Secret service won't allow repeat of White House breach'
Washington, Oct 1 (IANS) US secret service chief Julia Pierson vowed Tuesday that the breach of White House security will not be allowed to happen again, amid mounting criticism over the agency's failure to prevent the...
Read more on Politics Balla
 
Apple benefited from illegal tax agreements in Ireland: EU
Brussels, Oct 1 (IANS) European Union (EU) regulators Tuesday announced that Apple Inc. enjoyed state aid from Ireland for many years via illegal tax agreements. The European Commission expressed concern over tax...
Read more on Business Balla
 
Liam Hemsworth's family thought he was posessed
Liam Hemsworth's family thought he was possessed by demons when he was a child. The Australian actor, 24, admits he and his older brother Chris Hemsworth, 31, were very naughty when they were growing up, as their...
Read more on Celebrity Balla
 
Anne Hathaway only settled into married life last year
Anne Hathaway's first year of married life was ''insane.'' The 'Les Miserables' actress, who tied the knot with jewelry designer Adam Shulman in Big Sur, California in September 2012, admits she only started to settle...
Read more on Celebrity Balla
 
George Clooney donating profits from wedding photos to his own charity
George Clooney is donating most of the profits from his wedding photographs to his own charity. The 53-year-old actor, who tied in the knot with British human rights lawyer Amal Alamuddin, 36, in Venice, Italy during a...
Read more on Celebrity Balla
 
Justin Bieber meets Kendall Jenner in Paris
Justin Bieber enjoyed a boozy lunch with Kendall Jenner today (09.30.14). The 'Baby' hitmaker, who is currently in Paris with his on-again, off-again girlfriend Selena Gomez, was spotted sipping champagne with the 18-...
Read more on Celebrity Balla