How The Syrian Electronic Army Hacked Us: A Detailed Timeline

Feb 20 2014, 9:42am CST | by

How The Syrian Electronic Army Hacked Us: A Detailed Timeline
Photo Credit: Forbes Apple

Early Thursday morning, a Forbes senior executive was woken up by a call from her assistant, saying that she’d be working from home due to a forecast predicting the snowiest day of the year. When she ended the call, the executive saw on her Blackberry that she had just received a bluntly worded email that seemed to have been sent by a reporter at Vice Media, asking her to comment on a Reuters story linked in the message.

Any other time, she says she would have waited to read the linked story later at the Forbes office. But with the sale of the 96-year-old media company pending, she was on the alert for news. Groggily stepping out of bed, she grabbed her iPad, opened the email in her Forbes webmail page through a shortcut on the device’s homepage and tapped the emailed link.

In her half-asleep state, she was prompted for her webmail credentials and entered them, thinking her access to the page had timed out. When the link led to a broken url on Reuters’ website, she got dressed and began her snowy commute from Brooklyn to Manhattan without a second thought. “It was so insidious,” she says. “I didn’t know I had been hacked for another two hours.”

In fact, the phishing email had set in motion a two-day cat-and-mouse game with Syrian Electronic Army (SEA) hackers who would deface the Forbes website and backend publishing platform, attempt to post market-moving news, steal a million registered users’ credentials, and briefly offer them for sale before leaking the data online.

Compared with the Chinese attack that penetrated the New York Times in 2012 or  the cybercriminal theft of millions of credit card numbers from Target late last year , the SEA attack of Forbes doesn’t seem to have been technically complex. But the hackers were nonetheless clever and persistent enough to stay a step ahead of the media company’s security measures. A week later, Forbes staff have only just come out of a partial email and publishing lockdown designed to prevent the attackers from breaching the site again and limit the damage if they do regain access.

Forbes’ chief product officer Lewis Dvorkin has already shared some details of the attack along with his thoughts on the incident . On Wednesday morning, users were again allowed to log in to the Forbes site and required to choose new, stronger passwords.

But in the interest of transparency–and out of a sense that we should subject ourselves to the same journalistic scrutiny as the subjects of our stories–fellow reporter Kashmir Hill and I have assembled a timeline based on our experience of the hack, as well as interviews with those staffers who were willing to speak with us.

Here’s what we’ve learned, with approximate times marked:

Thursday, 6:15am: A Forbes senior executive received a phishing email from a compromised Vice Media email account with a link to a fake Reuters story about Forbes. The link led to a spoofed webmail login where she shared her email credentials. (I reached out to Vice to ask about the possible compromise of the company’s email, but didn’t get a response.)

7:45am: The senior executive’s hacked account was used to send a second round of phishing emails to Forbes staffers, again asking them to check out a supposed news story about Forbes. A Forbes editorial staffer working from home who had disregarded the earlier, more suspicious-looking phishing attempt was duped by this second round of emails. “The imprimatur of [the senior executive] suggested something was actually going on here,” he says. “I’ve been kicking myself black and blue over this.”

The editorial staffer, who had “super-administrator” privileges on Forbes’ WordPress publishing platform, entered his email credentials into a fake webmail login page. When the link took him to an old NBC News story, he realized he’d been phished and alerted the Forbes IT department, who reset his email credentials.

8:15am: A Forbes IT administrator sent out a warning to staffers about the phishing attempts.

10:00am: A financial reporter fell for a stealthier version of the phishing attempt. As he describes it, he clicked on the link in the Vice phishing email but didn’t enter his email credentials. When he returned to WordPress to continue blogging, however, he was prompted again to log in again. Two new posts appeared on his blog almost immediately. One read, “BREAKING: US Treasury declares all foreign T-bills void. Yellen to hold a press conference in 15 minutes,” and another, “Yellen to press: ‘We can no longer tolerate China’s currency manipulation.’”

When we ran this series of events by web hacking expert and Whitehat Security founder Jeremiah Grossman, he speculated that the phishing email link performed an attack known as a Cross-Site Request Forgery that hijacked his browser to post the stories. Forbes staff say now that they haven’t ruled out the possibility that malware may have also been installed on his machine, though Grossman says he doubts this is the case.

In less than five minutes, an editor spotted the fake news stories and took them down.

10:15am: The Forbes operations staff decided to lock users out of WordPress until they could address the compromise of the site. “We realized that this had escalated and become a real problem,” says Forbes chief operations officer Mike Federle. “We jumped into code red.”/>/>

Over the next hours, they reset the credentials of all Forbes users with super-administrator privileges along with any other users who said they’d fallen for the phishing scheme, notifying them of their new credentials one-by-one in person or over the phone to avoid using email after the previous phishing schemes.

6:00pm: The site was reopened to users.

7:00pm: The hackers changed a headline on social media editor Alex Knapp’s blog page to “The Syrian Electronic Army Was Here.” Although the Syrian Electronic Army later wrote on their Twitter feed that their entire attack could be blamed on Knapp, this seems to have been misdirection. The defacement of his page was performed using the same editorial staffer’s super-administrator account that had been first compromised that morning. In the short time before his email credentials were changed by the Forbes IT staff, the hackers had gained access to the editorial staffer’s high-privilege WordPress account by exploiting WordPress’s “forgot password” function and resetting his publishing account password from his compromised email inbox.

In fact, Forbes staff now believe the hackers may have used their initial access to the super-admin WordPress account to change both the email address and the social networking accounts–such as Linkedin, Twitter, Google+, and Facebook–associated with it. So despite the editorial staffer’s WordPress credentials being changed earlier in the day, they were able to quickly regain access to the account by again triggering the “forgot password” function and accessing the reset email sent to their own account.

7:10pm: The site was again locked down to prevent further compromise. After discovering that the hackers had changed the email addresses associated with compromised users’ WordPress accounts, Forbes staff changed back to the users’ addresses.

Midnight: The site was reopened to users.

Friday, sometime between 12:30 and 3:30am: The hackers again accessed the same editor’s super-administrator account on WordPress, possibly taking advantage of his altered social logins. Though Forbes staffers had fixed the email address associated with the account, they say they may not have changed the social accounts connected with it.

3:30am The hackers used the editor’s account to deface the blog pages of six more Forbes staffers–including mine–with the phrase “Hacked By The Syrian Electronic Army.” Some of these staffers had linked their Twitter accounts with their WordPress accounts, so that the SEA message also appeared on their personal Twitter feeds.

3:40am: The site was locked down for a third time.

7:30am: After social logins were disabled, the site reopened.

8:00am: Using a method that’s still not clear, the hackers regained access yet again to the editor’s account–possibly by exploiting a vulnerability in a WordPress plugin that allowed them to insert malicious code into the site. They changed the Forbes WordPress installation theme, inserting their own logos and a Syrian flag designed from ones and zeroes. At some point, they also inserted code into the top post linked on the site’s homepage so that it redirected thousands of users to the Syrian Electronic Army’s Twitter feed.

11:30am: Forbes administrators were forwarded an email from a hacker named Ethical Spectrum that had been sent to seemingly random staffers earlier in the day. The message said he or she had stolen the entire Forbes database of registered usernames, emails, and passwords, and went on to demand what may have been a ransom. Just how the data was stolen isn’t exactly clear, but WordPress does allow users with super-administrator privileges to export the full user database.

The message from Ethical Spectrum, who also took credit for an attack on video game company Supercell earlier this month , read as follows:

Hello Forbes. I found gabs in your servers thats allowed me to download all your databases. i can help you to avoid this again. but i want something in return like fees. the proof that i hacked your databases is this screenshot. its only 1 million user. NOTE: I have some roles. ROLE NUMBER 1. Do not delay in reply.

It was followed by a screenshot showing a few users’ credentials and passwords, which WordPress had cryptographically hashed to make them unreadable.

At this point, Forbes administrators locked down the site again and called the FBI.

When we contacted Ethical Spectrum for comment, he claimed he wasn’t associated with the Syrian Electronic Army, and had only learned of the attack from the Syrian Electronic Army’s Facebook page.

12:35pm: The Syrian Electronic Army announced on its Twitter feed that it had hacked Forbes. It later wrote that it had gained access to the million-user database, and asked for bids from possible buyers before declaring that it would release the hacked usernames, emails and hashed passwords for free. It published the database Friday night./>/>

The Syrian Electronic Army may not be finished with Forbes just yet. On Twitter, it claims to have “one last thing” to reveal from the attack.

Forbes’ staff, meanwhile, spent the last five days in recovery mode, enlisting an incident response firm to suss out and patch any of the site’s remaining entry points for the hackers.

In future posts, we plan to provide updates on Forbes’ response to the attack, how it changes our security practices, and the lessons it holds for the company as well as for other potential hacking targets. Forbes is hardly the first media outlet to be hit by the Syrian Electronic Army. It likely won’t be the last.

With reporting contributed by Kashmir Hill.

Source: Forbes Apple

 
 

Don't miss ...

 

<a href="/latest_stories/all/all/30" rel="author">Forbes</a>
Forbes is among the most trusted resources for the world's business and investment leaders, providing them the uncompromising commentary, concise analysis, relevant tools and real-time reporting they need to succeed at work, profit from investing and have fun with the rewards of winning.

 

blog comments powered by Disqus

Latest stories

Instagram launches messaging app
New York, July 30 (IANS) Social network Instagram has launched its messaging app called Bolt which makes sending visuals easy. The easy to use app allows you to tap once to send a photo and long press to send a video.
 
 
Eating tree nuts daily prolongs life
Toronto, July 30 (IANS) Include at least 50 grams of almonds, cashews, chestnuts, walnuts or pistachios in your diet to control blood fats (triglycerides) and sugars - two of the five markers for metabolic syndrome.
 
 
Sweetened beverages can impair memory
New York, July 30 (IANS) Limit your sugar-sweetened beverage intake if you are a teenager. An alarming study shows that daily consumption of beverages can impair your ability to learn and remember.
 
 
Menu design can spoil diners' mood
New York, July 30 (IANS) If you have ordered the wrong food at a restaurant, do not blame yourself. Curse the menu instead.
 
 
 

Latest from the Network

Zac Efron opens up about rehab stint
Los Angeles, July 30 (IANS) Actor Zac Efron opens up about the circumstances that led to his decision to enter a rehabilitation. The 26-year-old got candid on the first episode of "Running Wild With Bear Grylls" and...
Read more on Celebrity Balla
 
Genocide trial against former Khmer Rouge leaders begins
Bangkok, July 30 (IANS/EFE) The special tribunal for Cambodia Wednesday opened the second trial in Phnom Penh against the last two surviving leaders of the Khmer Rouge regime, who face charges for crimes against...
Read more on Politics Balla
 
Instagram launches messaging app
New York, July 30 (IANS) Social network Instagram has launched its messaging app called Bolt which makes sending visuals easy. The easy to use app allows you to tap once to send a photo and long press to send a video...
Read more on Ad Balla
 
England bowl out India for 330, decide against follow-on
Southampton, July 30 (IANS) Clinching the remaining two Indian wickets in a jiffy, England bowled out India for 330 -- 239 runs behind -- but chose not to enforce the follow-on on the fourth day of the third cricket...
Read more on Sport Balla
 
Eating tree nuts daily prolongs life
Toronto, July 30 (IANS) Include at least 50 grams of almonds, cashews, chestnuts, walnuts or pistachios in your diet to control blood fats (triglycerides) and sugars - two of the five markers for metabolic syndrome. A...
Read more on Apple Balla
 
Commonwealth Games medals tally
Glasgow, July 30 (IANS) Australia continue to lead the 2014 Commonwealth Games medals tally followed by England and Canada at the beginning of the seventh day. India are sixth with 10 golds, 15 silvers and 11 bronzes...
Read more on Sport Balla
 
Narayan Singh finishes 8th in men's hammer throw finals
Glasgow, July 30 (IANS) Indian athlete Chandrodaya Narayan Singh could only manage an eighth place finish in the men's hammer throw finals of the 2014 Commonwealth Games at the Hampden Park Stadium here. Narayan Singh...
Read more on Sport Balla
 
Sweetened beverages can impair memory
New York, July 30 (IANS) Limit your sugar-sweetened beverage intake if you are a teenager. An alarming study shows that daily consumption of beverages can impair your ability to learn and remember. Most of the...
Read more on Apple Balla
 
Menu design can spoil diners' mood
New York, July 30 (IANS) If you have ordered the wrong food at a restaurant, do not blame yourself. Curse the menu instead. According to an interesting research, what you order may have less to do with what you want...
Read more on Apple Balla
 
Golden ale to celebrate the Games' spirit (CWG Diary)
Glasgow, July 30 (IANS) To celebrate the spirit of the Games, Scottish brewing giant Caledonian Brewery has introduced a limited edition 'ale' brewed from ingredients from around the Commonwealth. Christened '...
Read more on Sport Balla