Information Security News
Add the Financial Times to the growing list of media companies whose websites or Twitter accounts were hijacked by a group calling itself the Syrian Electronic Army.
On Friday, both the paper's Tech Blog and several of its Twitter accounts were seized by the group. The SEA used its unauthorized access to publish 12 blog posts in four minutes and also sent tweets through the FT's Twitter feeds. One stated "Syrian Electronic Army Was Here." Another linked to a YouTube video which appeared to show bound and blindfolded individuals being executed, according to The Wall Street Journal.
The FT said the accounts were hijacked following a phishing attack targeting company e-mail accounts. That's the same method used two weeks ago to commandeer the Twitter account of parody news site The Onion. Other media companies that have been similarly hacked by the SEA in recent months include the Associated Press, The Guardian, The BBC, and Al Jazeera.
A website that accepts payment in exchange for knocking other sites offline is perfectly legal, the proprietor of the DDoS-for-hire service says. Oh, it also contains a backdoor that's actively monitored by the FBI.
Ragebooter.net is one of several sites that openly accepts requests to flood sites with huge amounts of junk traffic, KrebsonSecurity reporter Brian Krebs said in a recent profile of the service. The site, which accepts payment by PayPal, uses so-called DNS reflection attacks to amplify the torrents of junk traffic. The technique requires the attacker to spoof the IP address of lookup requests and bounce them off open domain name system servers. This can generate data floods directed at a target that are 50 times bigger than the original request.
Krebs did some sleuthing and discovered the site was operated by Justin Poland of Memphis, Tennessee. The reporter eventually got an interview and found Poland was unapologetic.
We're looking for any info or packets that target port 51616. After witnessing a spike yesterday on his network and checking that our port data  corroborated his event, Andrew has written in asking what we know.
The most useful snapshot of port activity can be seen in this graph image. I ran the graphs as far back as 2006 and nothing more signifcant was illustrated. The image below highlights yesterdays events as well as a more curious spike back in March. These counts do not seem very significant at first look, but they could clearly be telling us something.
So drop us a comment to share what you know. We're interested to attribute this traffic to something useful.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.