Feeds

Jester hacker brags of mobe attack on Anonymous, baby-kisser

Pwned by QR code - or wind-up?

5 things you didn’t know about cloud backup

A hacker known as The Jester claims to have siphoned personal information from prominent members of Anonymous, a US politician and other assorted "enemies" after running a mobile malware-based attack that relied on the curiosity of his intended victims. The raid is unconfirmed.

In a blog post reminiscent of the penultimate act of a James Bond movie, the Jester described "how he done it".

The Jester said he laid a trap for intended victims by changing the icon for his Twitter account (@th3j35t3r) to a QR-code, just after news of last week's Anonymous/LulzSec arrests broke.

Victims induced "by their own curiosity" to scan this QR-code into their mobile phones were taken to a website loaded with mobile browser exploits that targeted both Android and iPhone users. The exploits reportedly relied on security bugs lodged inside the WebKit framework that is used by several mobile browsers.

According to the hacker, malicious code he used in the "attack" handed over the compromised users' Twitter credentials via a netcat command to the so-called patriot hacker. The Jester claims he checked these credentials against a list of known targets before moving on to the next phase of the attack: further exploitation.

"Enemies" of the hacker listed as targets included @AnonymousIRC, @wikileaks, @anonyops, @barretbrownlol (the Twitter address of sometime Anonymous spokesman Barrett Brown) and @RepDanGordon (Rhode Island State Representative Dan Gordon) and others. Gordon made it onto The Jester's hit list for his comments on Twitter referencing Anonymous in what The Jester saw as a sign of approval for the hacktivist group.

The Jester, previously most famous for claiming credit for an application-based DDoS attack against WikiLeaks and for disrupting pro-Jihadist websites, said he raised his permissions on each exploited device. iOS has a default username/password combination of root/alpine, making this step of the process simple on iPhones.

The process is more complicated on Android but even there a variety of attack tools exist. After obtaining these elevated privileges, the Jester then allegedly extracted data from databases on compromised devices, which he claimed allowed him to obtain SMS, voicemail, call logs, and email*.

That's the theory. In practice the hack would have involved taking the next steps in exploits already demonstrated by famed white-hat hacker Charlie Miller and others. In addition, the assault would have relied on users sticking to default SMS and email applications, as explained in an informative commentary of the attack by Johannes Ullrich, a security researcher at the SANS Institute's Internet Storm Centre here.

Damage analysis

It's unclear whether the attack, clever though it was, actually claimed any victims. It's quite possible that the hack was entirely unsuccessful and The Jester is only claiming otherwise in a bid to wind up his enemies and possibly induce them into making a security lapse that he can exploit.

The Jester has wasted little time taunting his intended victims in messages that set out to justify his hijinks, which pose obvious privacy worries for regular smartphone users, as carefully targeted against known "bad guys".

"I had a list of 'targets' twitter usernames I was interested in, these were comprised of usernames of: Islamic Extremists, Al Qaeda Supporters, Anonymous Members, Lulz/Antisec Members," The Jester writes in a blog post entitled Curiosity Pwned the Cat.

"EVERYONE else without exception was left totally 'untouched' so to speak. This was a proof of concept QR-Code based operation against known bad guys, the same bad guys that leak YOUR information, steal YOUR CC nums, and engage in terror plots around the world. I do not feel sorry for them.

"In the interests of convenience I will be taking the liberty of uploading the captured bad-guy data in a signed PGP encrypted file to a suitable location very soon. How's that for 'lulz'?"

The Jester posted a PGP data file from his Webkit Exploit op on Monday night. Since the data is encrypted it could be anything, or nothing. The Jester claims more than 1,200 curious netizens scanned the QR code – of which 500 devices "reverse shelled back to the listening server" (stage one of the attack. He claims that a "significant number" of these 500 were on his 'shit-list' and as such treated as valid targets. The patriot hacker doesn't say how many were compromised, if any.

US state representative Dan Gordon (Republican) reportedly reacted angrily to news that he might have been targeted, threatening to report the patriot hacker to the feds for offences ranging from threatening a state official to hacking the mobile phone of an elected politician. Gordon later said he had not scanned the Jester's QR code and thus could n't possibly have been hacked, via a succession of Twitter updates on Monday pointing to posts that cast doubt on the plausibility of the supposed attack. "@m4yH3mKITTEH @th3j35t3r/fag @ChronicleSU bit.ly/zwevPv More nonsense. Plus, couldn't have executed if I never scanned it, right?", one such Tweet said. ®

Bootnote

* The database for Tweetie holds "Twitter username, recent searches, device UDIDs, among other information", which would make it trivial for The Jester to identify iPhone users who happen to use the default Twitter application on iOS, the ISC explains.

The essential guide to IT transformation

More from The Register

next story
One HUNDRED FAMOUS LADIES exposed NUDE online
Celebrity women victimised as Apple iCloud accounts reportedly popped
Rubbish WPS config sees WiFi router keys popped in seconds
Another day, another way in to your home router
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NZ Justice Minister scalped as hacker leaks emails
Grab your popcorn: Subterfuge and slur disrupts election run up
HP: NORKS' cyber spying efforts actually a credible cyberthreat
'Sophisticated' spies, DIY tech and a TROLL ARMY – report
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?