Syrian hackers, known best for their attacks on vital sites in Israel, the US, and Europe, are turning on their own people, taking advantage of their fears about the devastating civil war around them.
The Syrian Electronic Army, an outfit that has gained fame for its hacks of government and defense websites, is one of the biggest beneficiaries of the unrest that has characterized Syria for the past several years. SEA hackers get access to user systems, recording information about on-line accounts and stealing funds, or using victims’ computers as part of huge botnets that send out spam and become part of attacks on banks and financial sites.
A new report by security firm Kaspersky Lab shows how the SEA has used a variety of Internet “dirty tricks” to hoodwink panicked web users into clicking on links and files that have installed a variety of Trojans, viruses, password hijackers, and other malware that give cybercrooks full access to computers. Because Syrians are rattled enough by the civil war to apparently click on anything that seems “official,” issued by the government or the army, hackers don’t even have to bother making their phony wares seem real. They’re confident that users will even gladly click on something called “Ammazon Internet Security” if they believe it will make them a bit safer.
In a special report on the SEA’s activities in Syria and beyond, Kaspersky said it “has discovered new malware attacks in Syria, with malicious entities using a plethora of methods from their toolbox to hide and operate malware. In addition to proficient social engineering tricks, victims are often tempted to open and explore malicious files because of the dire need for privacy and security tools in the region. In the hopes of maintaining anonymity and installing the latest ‘protection,’ victims fall prey to these malicious creations.”
The SEA has been taking advantage of Syrian civilians’ thirst for information by sending out “socially engineered” links, WhatsApp messages, Facebook and Twitter postings, and links to YouTube videos. The messages are designed to get attention, encouraging people to click on links that will lead them to websites where a variety of RATs or Remote Access Tools, will be installed — in other words, Trojan malware. Those allow hackers to take over users’ systems. The hackers are then able to remotely install tools like keystroke recorders, which will send over all the text users type on their keyboards – including usernames and passwords, allowing hackers access to accounts, including financial ones.
Among the messages SEA hackers use are, ironically, requests for readers to install anti-malware software. While those requests are de riguer for hackers around the world, they take on added importance – for scared readers, at least – when accompanied by messages that make them appear as if they were issued by “official” sources warning of hacking attempts, and telling users that the only way to protect themselves is by installing special programs to protect their computer. While users might be wary of such requests during normal times, many of the people reading these messages apparently let their guard down during wartime, Kaspersky found, and the SEA is successfully taking control of hundreds of thousands of systems just by asking people to install “security” software.
For those who still have their wits about them, the SEA has a few other tricks up its sleeve. The group sends out links to lurid videos which show incidents like bombings, hangings, and beheadings. Messages alternatively claim to show excesses committed by Syria rebels and army troops, so supporters and opponents of either side have an equal “opportunity” to bring the SEA on board their systems. These links, too, have proven to be profitable for the SEA, Kaspersky found, because few people are able to resist clicking on a link that promises wartime blood, guts, and glory.
The SEA even has something for activists and diplomats interested in stopping the bloodshed. “We found a set of compressed files on a popular social networking site,” the report said. “When extracted it showed a database containing a list of activists and wanted individuals in Syria. The download URL redirected victims to a file-sharing service where the file was being hosted.” The SEA apparently believes it will be used by groups seeking to bring peace or at least quiet to Syria, identifying the heroes and villains of the struggle. While the files users click on does have some information, the report said, it’s old – and it contains far more than its readers bargained for — invasive malware.
The “Ammazon” security program was aimed mostly at unsophisticated users, Kaspersky said. “Using nothing more than a couple of buttons and a catchy name, Syrian malware groups were hoping that the intended victims would fall into the trap. Analyzing the code interestingly revealed that it has the look and feel of a security application, but of course, no real security features. While silently executing a remote administration tool when launching this “security suite,” targeted victims were left without their ‘Ammazon’ protection but with a RAT installed, the report added.
Most of the SEA attacks come from within Syria itself, while a smaller number originate in Russia Ukraine, Kaspersky said. The SEA does most of its illicit social engineering in Arabic, and as many Middle Easterners are interested in what is going on in the country, the SEA has been finding ready “customers” for its scare tactics in the entire region. Besides Syria, which supplies the vast majority of victims, SEA targets can be found in Lebanon, Turkey, Saudi Arabia, Egypt, Jordan, the West Bank, Israel, and the US.
As in a ground war, the “soldiers” of the SEA are learning from their experiences on the cyber-battlefield – and that knowledge will only make them and other hackers stronger. “We expect these attacks to continue and evolve both in quality and quantity,” the report said. “We expect the attackers to start using more advanced techniques to distribute their malware, using malicious documents or drive-by download exploits. With enough funding and motivation, they might … make their attacks more effective and allow them to target more sensitive or high profile victims.”