How The Syrian Electronic Army Hacked Us: A Detailed Timeline

Feb 20 2014, 9:42am CST | by

How The Syrian Electronic Army Hacked Us: A Detailed Timeline
Photo Credit: Forbes Apple

Early Thursday morning, a Forbes senior executive was woken up by a call from her assistant, saying that she’d be working from home due to a forecast predicting the snowiest day of the year. When she ended the call, the executive saw on her Blackberry that she had just received a bluntly worded email that seemed to have been sent by a reporter at Vice Media, asking her to comment on a Reuters story linked in the message.

Any other time, she says she would have waited to read the linked story later at the Forbes office. But with the sale of the 96-year-old media company pending, she was on the alert for news. Groggily stepping out of bed, she grabbed her iPad, opened the email in her Forbes webmail page through a shortcut on the device’s homepage and tapped the emailed link.

In her half-asleep state, she was prompted for her webmail credentials and entered them, thinking her access to the page had timed out. When the link led to a broken url on Reuters’ website, she got dressed and began her snowy commute from Brooklyn to Manhattan without a second thought. “It was so insidious,” she says. “I didn’t know I had been hacked for another two hours.”

In fact, the phishing email had set in motion a two-day cat-and-mouse game with Syrian Electronic Army (SEA) hackers who would deface the Forbes website and backend publishing platform, attempt to post market-moving news, steal a million registered users’ credentials, and briefly offer them for sale before leaking the data online.

Compared with the Chinese attack that penetrated the New York Times in 2012 or  the cybercriminal theft of millions of credit card numbers from Target late last year, the SEA attack of Forbes doesn’t seem to have been technically complex. But the hackers were nonetheless clever and persistent enough to stay a step ahead of the media company’s security measures. A week later, Forbes staff have only just come out of a partial email and publishing lockdown designed to prevent the attackers from breaching the site again and limit the damage if they do regain access.

Forbes’ chief product officer Lewis Dvorkin has already shared some details of the attack along with his thoughts on the incident. On Wednesday morning, users were again allowed to log in to the Forbes site and required to choose new, stronger passwords.

But in the interest of transparency–and out of a sense that we should subject ourselves to the same journalistic scrutiny as the subjects of our stories–fellow reporter Kashmir Hill and I have assembled a timeline based on our experience of the hack, as well as interviews with those staffers who were willing to speak with us.

Here’s what we’ve learned, with approximate times marked:

Thursday, 6:15am: A Forbes senior executive received a phishing email from a compromised Vice Media email account with a link to a fake Reuters story about Forbes. The link led to a spoofed webmail login where she shared her email credentials. (I reached out to Vice to ask about the possible compromise of the company’s email, but didn’t get a response.)

7:45am: The senior executive’s hacked account was used to send a second round of phishing emails to Forbes staffers, again asking them to check out a supposed news story about Forbes. A Forbes editorial staffer working from home who had disregarded the earlier, more suspicious-looking phishing attempt was duped by this second round of emails. “The imprimatur of [the senior executive] suggested something was actually going on here,” he says. “I’ve been kicking myself black and blue over this.”

The editorial staffer, who had “super-administrator” privileges on Forbes’ WordPress publishing platform, entered his email credentials into a fake webmail login page. When the link took him to an old NBC News story, he realized he’d been phished and alerted the Forbes IT department, who reset his email credentials.

8:15am: A Forbes IT administrator sent out a warning to staffers about the phishing attempts.

10:00am: A financial reporter fell for a stealthier version of the phishing attempt. As he describes it, he clicked on the link in the Vice phishing email but didn’t enter his email credentials. When he returned to WordPress to continue blogging, however, he was prompted again to log in again. Two new posts appeared on his blog almost immediately. One read, “BREAKING: US Treasury declares all foreign T-bills void. Yellen to hold a press conference in 15 minutes,” and another, “Yellen to press: ‘We can no longer tolerate China’s currency manipulation.’”

When we ran this series of events by web hacking expert and Whitehat Security founder Jeremiah Grossman, he speculated that the phishing email link performed an attack known as a Cross-Site Request Forgery that hijacked his browser to post the stories. Forbes staff say now that they haven’t ruled out the possibility that malware may have also been installed on his machine, though Grossman says he doubts this is the case.

In less than five minutes, an editor spotted the fake news stories and took them down.

10:15am: The Forbes operations staff decided to lock users out of WordPress until they could address the compromise of the site. “We realized that this had escalated and become a real problem,” says Forbes chief operations officer Mike Federle. “We jumped into code red.”/>/>

Over the next hours, they reset the credentials of all Forbes users with super-administrator privileges along with any other users who said they’d fallen for the phishing scheme, notifying them of their new credentials one-by-one in person or over the phone to avoid using email after the previous phishing schemes.

6:00pm: The site was reopened to users.

7:00pm: The hackers changed a headline on social media editor Alex Knapp’s blog page to “The Syrian Electronic Army Was Here.” Although the Syrian Electronic Army later wrote on their Twitter feed that their entire attack could be blamed on Knapp, this seems to have been misdirection. The defacement of his page was performed using the same editorial staffer’s super-administrator account that had been first compromised that morning. In the short time before his email credentials were changed by the Forbes IT staff, the hackers had gained access to the editorial staffer’s high-privilege WordPress account by exploiting WordPress’s “forgot password” function and resetting his publishing account password from his compromised email inbox.

In fact, Forbes staff now believe the hackers may have used their initial access to the super-admin WordPress account to change both the email address and the social networking accounts–such as Linkedin, Twitter, Google+, and Facebook–associated with it. So despite the editorial staffer’s WordPress credentials being changed earlier in the day, they were able to quickly regain access to the account by again triggering the “forgot password” function and accessing the reset email sent to their own account.

7:10pm: The site was again locked down to prevent further compromise. After discovering that the hackers had changed the email addresses associated with compromised users’ WordPress accounts, Forbes staff changed back to the users’ addresses.

Midnight: The site was reopened to users.

Friday, sometime between 12:30 and 3:30am: The hackers again accessed the same editor’s super-administrator account on WordPress, possibly taking advantage of his altered social logins. Though Forbes staffers had fixed the email address associated with the account, they say they may not have changed the social accounts connected with it.

3:30am The hackers used the editor’s account to deface the blog pages of six more Forbes staffers–including mine–with the phrase “Hacked By The Syrian Electronic Army.” Some of these staffers had linked their Twitter accounts with their WordPress accounts, so that the SEA message also appeared on their personal Twitter feeds.

3:40am: The site was locked down for a third time.

7:30am: After social logins were disabled, the site reopened.

8:00am: Using a method that’s still not clear, the hackers regained access yet again to the editor’s account–possibly by exploiting a vulnerability in a WordPress plugin that allowed them to insert malicious code into the site. They changed the Forbes WordPress installation theme, inserting their own logos and a Syrian flag designed from ones and zeroes. At some point, they also inserted code into the top post linked on the site’s homepage so that it redirected thousands of users to the Syrian Electronic Army’s Twitter feed.

11:30am: Forbes administrators were forwarded an email from a hacker named Ethical Spectrum that had been sent to seemingly random staffers earlier in the day. The message said he or she had stolen the entire Forbes database of registered usernames, emails, and passwords, and went on to demand what may have been a ransom. Just how the data was stolen isn’t exactly clear, but WordPress does allow users with super-administrator privileges to export the full user database.

The message from Ethical Spectrum, who also took credit for an attack on video game company Supercell earlier this month, read as follows:

Hello Forbes. I found gabs in your servers thats allowed me to download all your databases. i can help you to avoid this again. but i want something in return like fees. the proof that i hacked your databases is this screenshot. its only 1 million user. NOTE: I have some roles. ROLE NUMBER 1. Do not delay in reply.

It was followed by a screenshot showing a few users’ credentials and passwords, which WordPress had cryptographically hashed to make them unreadable.

At this point, Forbes administrators locked down the site again and called the FBI.

When we contacted Ethical Spectrum for comment, he claimed he wasn’t associated with the Syrian Electronic Army, and had only learned of the attack from the Syrian Electronic Army’s Facebook page.

12:35pm: The Syrian Electronic Army announced on its Twitter feed that it had hacked Forbes. It later wrote that it had gained access to the million-user database, and asked for bids from possible buyers before declaring that it would release the hacked usernames, emails and hashed passwords for free. It published the database Friday night./>/>

The Syrian Electronic Army may not be finished with Forbes just yet. On Twitter, it claims to have “one last thing” to reveal from the attack.

Forbes’ staff, meanwhile, spent the last five days in recovery mode, enlisting an incident response firm to suss out and patch any of the site’s remaining entry points for the hackers.

In future posts, we plan to provide updates on Forbes’ response to the attack, how it changes our security practices, and the lessons it holds for the company as well as for other potential hacking targets. Forbes is hardly the first media outlet to be hit by the Syrian Electronic Army. It likely won’t be the last.

With reporting contributed by Kashmir Hill.

Source: Forbes Apple

 
 

Don't miss ...

 

<a href="/latest_stories/all/all/30" rel="author">Forbes</a>
Forbes is among the most trusted resources for the world's business and investment leaders, providing them the uncompromising commentary, concise analysis, relevant tools and real-time reporting they need to succeed at work, profit from investing and have fun with the rewards of winning.

 

blog comments powered by Disqus

Latest stories

Why tech companies are going for mobile payments
Why tech companies are going for mobile payments
Consumers are slowly embracing mobile payments
 
 
Apple launches Apple Pay
Apple launches Apple Pay
You can now pay your parking using Apple Pay
 
 
iPhone 6 Outsmarting iPhone 6 Plus with Respect to the Market Share
iPhone 6 Outsmarting iPhone 6 Plus with Respect to the Market Share
The iPhone 6 Plus occupies 68 percent of overall Apple smartphone market share
 
 
Apple issues the first bond in Euros
Apple issues the first bond in Euros
Why Apple is making forays into the Europe market
 
 
 

Latest from the Network

FKA twigs doesn't want fame
FKA twigs doesn't want to be famous. The 'Two Weeks' hitmaker - who has been dating 'Twilight' star Robert Pattinson since September - has revealed that she doesn't want to be photographed everywhere she goes. She said...
Read more on Celebrity Balla
 
Cruzeiro edge closer to Brazil Serie A title
Rio de Janeiro, Nov 21 (IANS) Brazil internationals Everton Ribeiro and Ricardo Goulart each scored second-half goals as Cruzeiro defeated Gremio 2-1 in Brazil's Serie A championship. The result after Thursday's match...
Read more on Sport Balla
 
Fixtures of German Bundesliga soccer league
Berlin, Nov 21 (IANS) Following are the fixtures of German Bundesliga soccer league over the weekend, accordign to Xinhua. Nov 22: Bayern Munich vs Hoffenheim Borussia Monchengladbach vs Eintracht Frankfurt Hannover...
Read more on Sport Balla
 
Fixtures of French Ligue 1 soccer league
Paris, Nov 21 (IANS) Following are the fixtures of French Ligue 1 soccer league over the weekend, according to Xinhua. Nov 22: Metz vs Paris Saint Germain Nov 23: Bastia vs Lyon Guingamp vs Rennes Lorient vs Lens...
Read more on Sport Balla
 
Patient with Ebola symptoms being monitored in New York
New York, Nov 21 (IANS/EFE) A person showing symptoms of Ebola has been subjected to medical tests at a New York hospital, after returning from the Ebola-hit country of Mali. The patient, who has not been publicly...
Read more on Business Balla
 
Miley Cyrus to throw 6000 pound party for homeless
Los Angeles, Nov 21 (IANS) Singer Miley Cyrus is throwing a 6,000 pound Christmas party for homeless people. The 21-year-old is determined to show her ''caring and sensitive'' side by employing a chef to cook a three-...
Read more on Celebrity Balla
 
UNSC resolution includes policing in UN peacekeeping operations
United Nations, Nov 21 (IANS) The United Nations Security Council (UNSC) has unanimously adopted a resolution to include policing in UN peacekeeping operations and special political missions. The UNSC "resolves to...
Read more on Politics Balla
 
Kim Kardashian West's post-baby body
Kim Kardashian West thinks she has an ''even better body'' after giving birth. The 'Keeping Up With The Kardashians' star - who had 17-month-old North West in June last year - feels ''very confident'' about her figure....
Read more on Celebrity Balla
 
Mark Wahlberg's wife compares him to Harry Styles
Mark Wahlberg's wife thinks he looks like an older Harry Styles. Rhea Durham - who has been married to the 'Ted' star since 2009 - is pleased he is cutting off his locks for charity so he doesn't resemble an older...
Read more on Celebrity Balla
 
Beyonce 'rescued' sister's wedding
Beyonce Knowles ''rescued'' her sister's wedding. Solange tied the knot with videographer Alan Ferguson last Sunday (11.16.14) but the nuptials nearly resulted in a disaster when the 'Losing You' hitmaker reacted badly...
Read more on Celebrity Balla