Feeds

Jester hacker brags of mobe attack on Anonymous, baby-kisser

Pwned by QR code - or wind-up?

Reducing security risks from open source software

A hacker known as The Jester claims to have siphoned personal information from prominent members of Anonymous, a US politician and other assorted "enemies" after running a mobile malware-based attack that relied on the curiosity of his intended victims. The raid is unconfirmed.

In a blog post reminiscent of the penultimate act of a James Bond movie, the Jester described "how he done it".

The Jester said he laid a trap for intended victims by changing the icon for his Twitter account (@th3j35t3r) to a QR-code, just after news of last week's Anonymous/LulzSec arrests broke.

Victims induced "by their own curiosity" to scan this QR-code into their mobile phones were taken to a website loaded with mobile browser exploits that targeted both Android and iPhone users. The exploits reportedly relied on security bugs lodged inside the WebKit framework that is used by several mobile browsers.

According to the hacker, malicious code he used in the "attack" handed over the compromised users' Twitter credentials via a netcat command to the so-called patriot hacker. The Jester claims he checked these credentials against a list of known targets before moving on to the next phase of the attack: further exploitation.

"Enemies" of the hacker listed as targets included @AnonymousIRC, @wikileaks, @anonyops, @barretbrownlol (the Twitter address of sometime Anonymous spokesman Barrett Brown) and @RepDanGordon (Rhode Island State Representative Dan Gordon) and others. Gordon made it onto The Jester's hit list for his comments on Twitter referencing Anonymous in what The Jester saw as a sign of approval for the hacktivist group.

The Jester, previously most famous for claiming credit for an application-based DDoS attack against WikiLeaks and for disrupting pro-Jihadist websites, said he raised his permissions on each exploited device. iOS has a default username/password combination of root/alpine, making this step of the process simple on iPhones.

The process is more complicated on Android but even there a variety of attack tools exist. After obtaining these elevated privileges, the Jester then allegedly extracted data from databases on compromised devices, which he claimed allowed him to obtain SMS, voicemail, call logs, and email*.

That's the theory. In practice the hack would have involved taking the next steps in exploits already demonstrated by famed white-hat hacker Charlie Miller and others. In addition, the assault would have relied on users sticking to default SMS and email applications, as explained in an informative commentary of the attack by Johannes Ullrich, a security researcher at the SANS Institute's Internet Storm Centre here.

Damage analysis

It's unclear whether the attack, clever though it was, actually claimed any victims. It's quite possible that the hack was entirely unsuccessful and The Jester is only claiming otherwise in a bid to wind up his enemies and possibly induce them into making a security lapse that he can exploit.

The Jester has wasted little time taunting his intended victims in messages that set out to justify his hijinks, which pose obvious privacy worries for regular smartphone users, as carefully targeted against known "bad guys".

"I had a list of 'targets' twitter usernames I was interested in, these were comprised of usernames of: Islamic Extremists, Al Qaeda Supporters, Anonymous Members, Lulz/Antisec Members," The Jester writes in a blog post entitled Curiosity Pwned the Cat.

"EVERYONE else without exception was left totally 'untouched' so to speak. This was a proof of concept QR-Code based operation against known bad guys, the same bad guys that leak YOUR information, steal YOUR CC nums, and engage in terror plots around the world. I do not feel sorry for them.

"In the interests of convenience I will be taking the liberty of uploading the captured bad-guy data in a signed PGP encrypted file to a suitable location very soon. How's that for 'lulz'?"

The Jester posted a PGP data file from his Webkit Exploit op on Monday night. Since the data is encrypted it could be anything, or nothing. The Jester claims more than 1,200 curious netizens scanned the QR code – of which 500 devices "reverse shelled back to the listening server" (stage one of the attack. He claims that a "significant number" of these 500 were on his 'shit-list' and as such treated as valid targets. The patriot hacker doesn't say how many were compromised, if any.

US state representative Dan Gordon (Republican) reportedly reacted angrily to news that he might have been targeted, threatening to report the patriot hacker to the feds for offences ranging from threatening a state official to hacking the mobile phone of an elected politician. Gordon later said he had not scanned the Jester's QR code and thus could n't possibly have been hacked, via a succession of Twitter updates on Monday pointing to posts that cast doubt on the plausibility of the supposed attack. "@m4yH3mKITTEH @th3j35t3r/fag @ChronicleSU bit.ly/zwevPv More nonsense. Plus, couldn't have executed if I never scanned it, right?", one such Tweet said. ®

Bootnote

* The database for Tweetie holds "Twitter username, recent searches, device UDIDs, among other information", which would make it trivial for The Jester to identify iPhone users who happen to use the default Twitter application on iOS, the ISC explains.

Mobile application security vulnerability report

More from The Register

next story
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Microsoft: You NEED bad passwords and should re-use them a lot
Dirty QWERTY a perfect P@ssword1 for garbage websites
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
L33t haxxors compete to p0wn popular home routers
EFF-endorsed SOHOpelessly Broken challenge will air routers' dirty zero day laundry
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
Crooks fling banking Trojan at Japanese smut site fans
Wait - they're doing online banking with an unpatched Windows PC?
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.