Fraud Management & Cybercrime , Governance & Risk Management , Incident & Breach Response
FBI: ISIS Backers Deface WebsitesBureau Also Warns of Fake Government Websites
Sympathizers of the Islamic State terrorist group are exploiting a vulnerability in a WorldPress Content Management System plug-in to deface the websites of news organizations, businesses, religious institutions and governments in the U.S. and abroad, according to the FBI.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
The FBI also issued an alert warning of criminals hosting fraudulent government websites.
"Although the defacements demonstrate low-level hacking sophistication, they are disruptive and often costly in terms of lost business revenue and expenditures on technical services to repair infected computer systems," an FBI alert states.
The FBI says it believes the perpetrators are not members of the terrorist organization but use the Islamic State name to gain more notoriety than the breach would have otherwise garnered.
"The kind of threat that ISIS sympathizers pose is quite similar to the one posed by ad-hoc actors claiming an affiliation to Anonymous," says Ian Amit, vice president at the IT security firm ZeroFox, referring to the hacktivist group. "Obviously, any hack that involves privileged access to a computing asset could very likely escalate to something further than the usual graffiti in more skilled hands, but in most cases, the desired effect is mass-defacements of multiple websites posting the same sympathetic message."
Officials say methods employed by the hackers suggest that individual websites are not being targeted by name or business type. All victims of the defacements share common WordPress plug-in vulnerabilities easily exploited by commonly available hacking tools. Software patches are available for identified vulnerabilities.
In November, WordPress said users of versions 3.9.2 and earlier of its website content management software need to patch a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site (see WordPress Bug Could Enable Compromise).
Fake Government Websites
The FBI issued another alert saying its Internet Crime Complaint Center has received grievances regarding criminals hosting fraudulent government services websites to acquire personally identifiable information and collect fees from consumers.
Although the volume and loss amounts associated with these websites have been minimal, the FBI alert says, the victims have had their PII compromised. That could allow criminals to use the data for illicit activities, including the creation of fake identifications and passports, fraudulent loans and tax refunds.
How does the fraud work? Typically, consumers use a search engine to seek government services with the fraudulent site appearing as the first result, usually with a .com rather than a .gov domain that the consumer fails to recognize. Once consumers fill out and submit online forms, the fraudulent website requires a fee, typically $29 to $199, to complete the requested service. The victim is notified they must send their birth certificate, driver's license, employee badge or other personal items to a specified address to complete the transaction and is told to wait a few days to several weeks for processing.
"By the time the victim realizes it is a scam; they may have had extra charges billed to their credit/debit card, had a third-party designee added to their EIN (Employer Identification Number) card, and never received the services or documents requested," the alert says.
Israeli, Jewish Sites Threatened
Another FBI alert, to members of the FBI-private industry partnership InfraGard, says several extremist hacking groups indicate they would participate in an operation dubbed #OpIsrael, which will target Israeli and Jewish websites to coincide with Holocaust Remembrance Day that begins sundown April 15 and continues to sundown April 16, according to the news site Krebs on Security.
"The FBI assesses members of at least two extremist hacking groups are currently recruiting participants for the second anniversary of the operation, which started on 7 April 2013, and coincides with Holocaust Remembrance Day," the InfraGard alert says. "These groups, typically located in the Middle East and North Africa, routinely conduct pro-extremist, anti-Israeli and anti-Western cyber operations."