How The Syrian Electronic Army Hacked Us: A Detailed Timeline

Feb 20 2014, 9:42am CST | by

How The Syrian Electronic Army Hacked Us: A Detailed Timeline
Photo Credit: Forbes Apple

Early Thursday morning, a Forbes senior executive was woken up by a call from her assistant, saying that she’d be working from home due to a forecast predicting the snowiest day of the year. When she ended the call, the executive saw on her Blackberry that she had just received a bluntly worded email that seemed to have been sent by a reporter at Vice Media, asking her to comment on a Reuters story linked in the message.

Any other time, she says she would have waited to read the linked story later at the Forbes office. But with the sale of the 96-year-old media company pending, she was on the alert for news. Groggily stepping out of bed, she grabbed her iPad, opened the email in her Forbes webmail page through a shortcut on the device’s homepage and tapped the emailed link.

In her half-asleep state, she was prompted for her webmail credentials and entered them, thinking her access to the page had timed out. When the link led to a broken url on Reuters’ website, she got dressed and began her snowy commute from Brooklyn to Manhattan without a second thought. “It was so insidious,” she says. “I didn’t know I had been hacked for another two hours.”

In fact, the phishing email had set in motion a two-day cat-and-mouse game with Syrian Electronic Army (SEA) hackers who would deface the Forbes website and backend publishing platform, attempt to post market-moving news, steal a million registered users’ credentials, and briefly offer them for sale before leaking the data online.

Compared with the Chinese attack that penetrated the New York Times in 2012 or  the cybercriminal theft of millions of credit card numbers from Target late last year, the SEA attack of Forbes doesn’t seem to have been technically complex. But the hackers were nonetheless clever and persistent enough to stay a step ahead of the media company’s security measures. A week later, Forbes staff have only just come out of a partial email and publishing lockdown designed to prevent the attackers from breaching the site again and limit the damage if they do regain access.

Forbes’ chief product officer Lewis Dvorkin has already shared some details of the attack along with his thoughts on the incident. On Wednesday morning, users were again allowed to log in to the Forbes site and required to choose new, stronger passwords.

But in the interest of transparency–and out of a sense that we should subject ourselves to the same journalistic scrutiny as the subjects of our stories–fellow reporter Kashmir Hill and I have assembled a timeline based on our experience of the hack, as well as interviews with those staffers who were willing to speak with us.

Here’s what we’ve learned, with approximate times marked:

Thursday, 6:15am: A Forbes senior executive received a phishing email from a compromised Vice Media email account with a link to a fake Reuters story about Forbes. The link led to a spoofed webmail login where she shared her email credentials. (I reached out to Vice to ask about the possible compromise of the company’s email, but didn’t get a response.)

7:45am: The senior executive’s hacked account was used to send a second round of phishing emails to Forbes staffers, again asking them to check out a supposed news story about Forbes. A Forbes editorial staffer working from home who had disregarded the earlier, more suspicious-looking phishing attempt was duped by this second round of emails. “The imprimatur of [the senior executive] suggested something was actually going on here,” he says. “I’ve been kicking myself black and blue over this.”

The editorial staffer, who had “super-administrator” privileges on Forbes’ WordPress publishing platform, entered his email credentials into a fake webmail login page. When the link took him to an old NBC News story, he realized he’d been phished and alerted the Forbes IT department, who reset his email credentials.

8:15am: A Forbes IT administrator sent out a warning to staffers about the phishing attempts.

10:00am: A financial reporter fell for a stealthier version of the phishing attempt. As he describes it, he clicked on the link in the Vice phishing email but didn’t enter his email credentials. When he returned to WordPress to continue blogging, however, he was prompted again to log in again. Two new posts appeared on his blog almost immediately. One read, “BREAKING: US Treasury declares all foreign T-bills void. Yellen to hold a press conference in 15 minutes,” and another, “Yellen to press: ‘We can no longer tolerate China’s currency manipulation.’”

When we ran this series of events by web hacking expert and Whitehat Security founder Jeremiah Grossman, he speculated that the phishing email link performed an attack known as a Cross-Site Request Forgery that hijacked his browser to post the stories. Forbes staff say now that they haven’t ruled out the possibility that malware may have also been installed on his machine, though Grossman says he doubts this is the case.

In less than five minutes, an editor spotted the fake news stories and took them down.

10:15am: The Forbes operations staff decided to lock users out of WordPress until they could address the compromise of the site. “We realized that this had escalated and become a real problem,” says Forbes chief operations officer Mike Federle. “We jumped into code red.”/>/>

Over the next hours, they reset the credentials of all Forbes users with super-administrator privileges along with any other users who said they’d fallen for the phishing scheme, notifying them of their new credentials one-by-one in person or over the phone to avoid using email after the previous phishing schemes.

6:00pm: The site was reopened to users.

7:00pm: The hackers changed a headline on social media editor Alex Knapp’s blog page to “The Syrian Electronic Army Was Here.” Although the Syrian Electronic Army later wrote on their Twitter feed that their entire attack could be blamed on Knapp, this seems to have been misdirection. The defacement of his page was performed using the same editorial staffer’s super-administrator account that had been first compromised that morning. In the short time before his email credentials were changed by the Forbes IT staff, the hackers had gained access to the editorial staffer’s high-privilege WordPress account by exploiting WordPress’s “forgot password” function and resetting his publishing account password from his compromised email inbox.

In fact, Forbes staff now believe the hackers may have used their initial access to the super-admin WordPress account to change both the email address and the social networking accounts–such as Linkedin, Twitter, Google+, and Facebook–associated with it. So despite the editorial staffer’s WordPress credentials being changed earlier in the day, they were able to quickly regain access to the account by again triggering the “forgot password” function and accessing the reset email sent to their own account.

7:10pm: The site was again locked down to prevent further compromise. After discovering that the hackers had changed the email addresses associated with compromised users’ WordPress accounts, Forbes staff changed back to the users’ addresses.

Midnight: The site was reopened to users.

Friday, sometime between 12:30 and 3:30am: The hackers again accessed the same editor’s super-administrator account on WordPress, possibly taking advantage of his altered social logins. Though Forbes staffers had fixed the email address associated with the account, they say they may not have changed the social accounts connected with it.

3:30am The hackers used the editor’s account to deface the blog pages of six more Forbes staffers–including mine–with the phrase “Hacked By The Syrian Electronic Army.” Some of these staffers had linked their Twitter accounts with their WordPress accounts, so that the SEA message also appeared on their personal Twitter feeds.

3:40am: The site was locked down for a third time.

7:30am: After social logins were disabled, the site reopened.

8:00am: Using a method that’s still not clear, the hackers regained access yet again to the editor’s account–possibly by exploiting a vulnerability in a WordPress plugin that allowed them to insert malicious code into the site. They changed the Forbes WordPress installation theme, inserting their own logos and a Syrian flag designed from ones and zeroes. At some point, they also inserted code into the top post linked on the site’s homepage so that it redirected thousands of users to the Syrian Electronic Army’s Twitter feed.

11:30am: Forbes administrators were forwarded an email from a hacker named Ethical Spectrum that had been sent to seemingly random staffers earlier in the day. The message said he or she had stolen the entire Forbes database of registered usernames, emails, and passwords, and went on to demand what may have been a ransom. Just how the data was stolen isn’t exactly clear, but WordPress does allow users with super-administrator privileges to export the full user database.

The message from Ethical Spectrum, who also took credit for an attack on video game company Supercell earlier this month, read as follows:

Hello Forbes. I found gabs in your servers thats allowed me to download all your databases. i can help you to avoid this again. but i want something in return like fees. the proof that i hacked your databases is this screenshot. its only 1 million user. NOTE: I have some roles. ROLE NUMBER 1. Do not delay in reply.

It was followed by a screenshot showing a few users’ credentials and passwords, which WordPress had cryptographically hashed to make them unreadable.

At this point, Forbes administrators locked down the site again and called the FBI.

When we contacted Ethical Spectrum for comment, he claimed he wasn’t associated with the Syrian Electronic Army, and had only learned of the attack from the Syrian Electronic Army’s Facebook page.

12:35pm: The Syrian Electronic Army announced on its Twitter feed that it had hacked Forbes. It later wrote that it had gained access to the million-user database, and asked for bids from possible buyers before declaring that it would release the hacked usernames, emails and hashed passwords for free. It published the database Friday night./>/>

The Syrian Electronic Army may not be finished with Forbes just yet. On Twitter, it claims to have “one last thing” to reveal from the attack.

Forbes’ staff, meanwhile, spent the last five days in recovery mode, enlisting an incident response firm to suss out and patch any of the site’s remaining entry points for the hackers.

In future posts, we plan to provide updates on Forbes’ response to the attack, how it changes our security practices, and the lessons it holds for the company as well as for other potential hacking targets. Forbes is hardly the first media outlet to be hit by the Syrian Electronic Army. It likely won’t be the last.

With reporting contributed by Kashmir Hill.

Source: Forbes Apple

 
 

Don't miss ...

 

<a href="/latest_stories/all/all/30" rel="author">Forbes</a>
Forbes is among the most trusted resources for the world's business and investment leaders, providing them the uncompromising commentary, concise analysis, relevant tools and real-time reporting they need to succeed at work, profit from investing and have fun with the rewards of winning.

 

blog comments powered by Disqus

Latest stories

Fitbit Not Expected To Work With Healthkit
Fitbit Not Expected To Work With Healthkit
Apple’s new health tracking App won’t connect to Fitbit devices
 
 
Retailers Dropping NFC Readers To Stop Apple Pay
Retailers Dropping NFC Readers To Stop Apple Pay
Merchants are removing support for Apple Pay
 
 
AT&amp;T Showing Lack Of Vision With New SIM Cards
AT&T Showing Lack Of Vision With New SIM Cards
The company has busted the Apple SIM cards meant for travelers
 
 
The Stores of CVS and Rite Aid Stop Supporting Apple Pay
The Stores of CVS and Rite Aid Stop Supporting Apple Pay
CVS and Rite Aid are not accepting the service of Apple Pay from the last weekend
 
 
 

Latest from the Network

OPEC daily basket price closes tad higher
Vienna, Oct 29 (IANS/WAM) The basket of 12 crude oils of the Organisation of Petroleum Exporting Countries (OPEC) closed at $82.44 a barrel Tuesday compared to $82.37 Monday, the OPEC Secretariat said. The new OPEC...
Read more on Business Balla
 
Rodriguez delighted to adapt to life at Real Madrid
Madrid, Oct 29 (IANS) Real Madrid's Colombian international James Rodriguez said that he has been a fan of the club for virtually all his life. Rodriguez, who joined Real Madrid for 80 million euros after the FIFA...
Read more on Sport Balla
 
Leopard print: Autumn fashion must-have
London, Oct 29 (IANS) Leopard is a statement print that never dates, and it's back with a vengeance for autumn. One should embrace the fashion must-have with open arms but be very careful of choosing the right piece....
Read more on Celebrity Balla
 
Pirate attacks off Somalia coast drop: Maritime watchdog
Nairobi, Oct 29 (IANS) A global maritime body said Wednesday that pirate attacks and armed robbery have decreased remarkably off the coast of Somalia in the past nine months. International Chamber of Commerce's...
Read more on Politics Balla
 
India leads South Asia in ease of doing business: World Bank
Washington, Oct 29 (IANS) A new World Bank Group report finds that has India set the pace for regulatory reform in South Asia since 2005 with 20 measures - the largest in the region. India was followed by Sri Lanka...
Read more on Business Balla
 
Modi to have jam-packed itinerary at SAARC Summit
Kathmandu, Oct 29 (IANS) Indian Prime Minister Narendra Modi, who arrives in Nepal on a four-day visit Nov 25 to participate in the 18th SAARC Summit, will be visiting three religious sites -- Janakpur, Lumbini and...
Read more on Politics Balla
 
Over 250 still missing in Sri Lanka landslide
Colombo, Oct 29 (IANS) Sri Lanka's Disaster Management Center(DMC) Wednesday said that over 250 people remain missing, hours after a massive landslide which buried over 150 houses in Haldammulla, located between...
Read more on Politics Balla
 
Bangladesh's Jamaat calls shutdown after chief's death sentence
Dhaka, Oct 29 (IANS) Bangladesh's largest Islamist party, Jamaat-e-Islami, Wednesday called for a country-wide shutdown after its chief Motiur Rahman Nizami was handed down the death sentence for wartime atrocities...
Read more on Politics Balla
 
Israelis ready to dump family, sex for internet: Poll
London, Oct 29 (IANS) A Google poll revealed that many Israeli people are willing to sacrifice sex and stop talking to their mothers for the sake of internet surfing. Conducted by MarketWatch organisation on behalf of...
Read more on Celebrity Balla
 
Syrian forces down drone in eastern city
Damascus, Oct 29 (IANS) Syrian troops Wednesday downed a drone in the eastern province of Deir al-Zour, state-run SANA news agency reported. Citing a military source, SANA said the Syrian troops downed the drone...
Read more on Politics Balla