Gaza ‘porn star video’ spread malware in Israel, says report

US cyber-security firm Trend Micro releases details of a unprecedented phishing scam that targeted top Israeli sites

A Palestinian hacker on the backdrop of the Dome of the Rock on April 8, 2013 (photo credit: Sliman Khader/ Flash 90)
A Palestinian hacker on the backdrop of the Dome of the Rock on April 8, 2013 (photo credit: Sliman Khader/ Flash 90)

Iron Dome may be able to stop Gaza terror rockets, but a new report by US security firm Trend Micro indicates that it can’t stop cyber-attacks by Gaza terror hackers. And, in fact, said the company in a report released Monday, Gaza hackers did exactly that, targeting government and business sites, stealing data, and releasing malware that, the hackers hoped, would compromise operations – via a porn video sent out to unwitting victims.

“Israel is one of the most highly defended countries in the world, sheltered behind the legendary ‘Iron Dome,’ said the Trend Micro report, called, appropriately enough, “Operation Arid Viper: Bypassing the Iron Dome.” While few Hamas rockets were able to affect major Israeli targets because of the IDF’s anti-missile system in last summer’s 50 day Israel-Hamas conflict, the same was not necessarily the case for major cyber targets. The Iron Dome “counts for nothing when an attacker – possibly seeking out revenge for Israeli air strikes on Gaza last year – circumvents all of that to strike right at the heart of the Israeli administration,” the report said.

The report didn’t specify which Israeli sites were targeted and according to a spokesperson for Israel’s National Cyber Authority, the government was not aware of any “substantial” damage to Israeli sites from the attacks. But the report did discuss the methods used by the hackers.

“Picture the following reconstruction based on one attack,” the report said. “An employee in an Israeli government research facility receives and opens a highly targeted phishing email. A pornographic movie starts to play on his screen, which he hurriedly closes before any of his colleagues notice. He then thinks nothing more of the event.

“Minutes later, an attacker from somewhere in the Gaza Strip in Palestine gets notified that a new victim’s system has been successfully infected,” the report continues. “The attacker then proceeds to exfiltrate a package containing all of the interesting documents from the newly infected system.”

One reason the hackers were able to succeed, the report said, was because they did not launch their attacks from Gaza; most Israeli Internet service providers, and certainly government agencies, ban connections on their networks to and from any computer communications with Gaza, for fear of exactly this scenario. The attacks, said Trend Micro, originated in Germany, which is not on an Israeli ISP “ban list.”

To “tempt” recipients to open the targeted e-mail – part of the “phishing” scam, in which hackers craft a message that recipients will find too interesting or important not to read – and its virus-bearing attachment, the Gaza hackers used two pieces of “bait”: a short pornographic video, or a file bearing the logo of communications app Skype, indicating that it was a message for the recipient.

The use of pornography in the attack, said Trend Micro, was a touch of genius. The attack “was unusual in that it had a pornographic component in hopes of taking user focus away from the infection or the fact that something strange is happening. It targeted professionals who might be receiving very inappropriate content at work and so would hesitate to report the incident. These victims’ failure to act on the threat could have then allowed the main malware to remain undiscovered. The attackers used a distinct and likely successful strategy previously unseen when it came to avoiding incident response team investigations.”

The report names three specific individuals it says were behind the attacks – all three of them working in tech firms in Gaza, and all three listed as either registrars of the domains in Germany from which the attacks took place, or involved in a parallel attack that was launched from Gaza against Egyptian targets, called Operation Advtravel. That attack, said Trend Micro, was far smaller in scope, targeting only a few hundred laptop users in Egypt – but was launched from the same servers as the Israel attack.

Other than naming the three, the report does not attribute the attack to any specific group, but the sophistication of the attack could mean, Trend Micro said in a blog post on the attack, “that there may be an overarching organization or underground community that helps support Arab hackers fight back against perceived enemies of Islam. They may do this by helping set up infrastructures, suggest targets and so on. We predict that there will be an increase of such ‘Cyber Militia activity’ in the Arab world, where non-state actors fight against other organizations that would traditionally be considered enemies.”

The report follows by a day an announcement by the government that what has for the last three years been the National Cyber Bureau would now be “upgraded” to the National Cyber Authority. As an Authority, the organization would get more funding, and be given a greater role in working with government and private organizations in establishing cyber-security policy, the government said in a statement.

“The cyber field is a dynamic one,” Prime Minister Benjamin Netanyahu said of the decision. “We need professional agencies in this field, that are committed to this field that deal only with this field, and which constitute links to the other agencies that deal with this field, some partially and some fully. Israel is a cyber power. Our goal is to further develop our capabilities in this field which is essential to the security and future of Israel.”

https://www.youtube.com/watch?v=bnPGb3Tvb5A

Most Popular
read more: