Easily Predictable, the 10th 9/11 anniversary turned out to be a too tempting opportunity for unscrupulous hackers and cyber pranksters. Probably the NBC News Twitter account (and its 130,000 followers) will remember this anniversary eve for a long time after, late on Friday September the 9th, the Twitter account started to tweet false reports of a plane attack on ground zero.
Although there were some misplaced details on the tweets, few minutes later the Company Chief Digital Officer, admitted the account was hacked, asking their followers not to retweet the bogus tweets:
The account was suspended and restored after few minutes, and you will probably remember that the misplaced detail, that is The Script Kiddies who claimed to have hacked the account, are not new to such similar actions since they already hacked the FOX News political account on July, the 4th 2011, announcing a bogus report on Mr. Obama death.
This is not a coincidence, probably the hacker(s), a splinter cell of Anonymous and LulzSec have exploited the same (human?) vulnerability. The NBC News account is tightly controlled and only three NBC News executives have the password.
One of them, Ryan Osborn, the NBC director of social media, said he was monitoring the account at the time and noticed the bogus messages within seconds, noticing that the password to NBC News’ Twitter account had been altered. He immediately contacted Twitter, which shut the account down eight minutes after the tweets appeared.
But there is a further particular: although the warning on easily predictable 9/11 scams, Osborn said he recently received a suspicious email as Hurricane Irene was approaching New York. The email came from an unknown sender with the subject “Hurricane Alert” and the message:
Ryan, You need to get off Twitter immediately and protect your family from the hurricane. That is an order.
Osborn wrote back “I’m sorry. Who is this?” and the sender then replied:
I’m the girl next door
with an attachment. Osborn said he mistakenly clicked on the attachment and it contained a Christmas tree.
Probably that click was fatal and injected a Trojan Keylogger on Osborn’s PC, which was used to steal the password.
The FBI is investigating the NBC News Twitter account hacking but one thing is clear: Twitter accounts are becoming a preferred target for this kind of hacks, they allow to reach a wide audience in few seconds with the double result to quickly (and virally) spread panic among followers and amplify the echo (and visibility) of the attack. Moreover, there is no need to perpetrate huge attacks to compromise the server infrastructure since the entry point is human and human defenses have proven to be extremely much weaker and easy to penetrate (a simple email is enough) than digital defenses.
Last but not least, this is only the latest occurrence of an attack carried on via malicious attachments which are being deployed to carry on complex multilayered attacks (as in case of RSA Breach), or simple questionable pranks (as in case of NBC News or Fox News).
I miss the good old days when the threat via e-mail could be at most spam…
- Hacked NBC News Twitter Account Issues False Reports of Ground Zero Plane Crash (mashable.com)
- FBI probes hacking of NBC News’ Twitter account (msnbc.msn.com)
This awful infosec July is over, and finally we can sum up the Cyber Attacks reported during this month. I collected all the available information and inserted it inside the following chart. Where possible (that is enough information available) I tried to estimate the cost of the attacks using the indications from the Ponemon’s insitute according to which the average cost of a Data Breach is US $214 for each compromised record. The total sum (for the known attacks) is around $7.6 billion, mainly due to the “National Data Breach” of the South Korean Social Network Cyworld.
Approximately 16 attacks were directly or indirectly related to Antisec or Anonymous, they promised an hot summer and unfortunately are keeping their word…
Useful resources for compiling the (very long) chart were taken from:
- 2011 Cyber Attacks (and Cyber Costs) Timeline (Updated) (paulsparrows.wordpress.com)
- 2011 CyberAttacks Timeline (paulsparrows.wordpress.com)
- 50 Days of Hunt (paulsparrows.wordpress.com)
- LulzSec hacking: a timeline (telegraph.co.uk)
- Anonymous Denies Paternity For the CNAIPIC Hack (paulsparrows.wordpress.com)