Feeds

Jester hacker brags of mobe attack on Anonymous, baby-kisser

Pwned by QR code - or wind-up?

Secure remote control for conventional and virtual desktops

A hacker known as The Jester claims to have siphoned personal information from prominent members of Anonymous, a US politician and other assorted "enemies" after running a mobile malware-based attack that relied on the curiosity of his intended victims. The raid is unconfirmed.

In a blog post reminiscent of the penultimate act of a James Bond movie, the Jester described "how he done it".

The Jester said he laid a trap for intended victims by changing the icon for his Twitter account (@th3j35t3r) to a QR-code, just after news of last week's Anonymous/LulzSec arrests broke.

Victims induced "by their own curiosity" to scan this QR-code into their mobile phones were taken to a website loaded with mobile browser exploits that targeted both Android and iPhone users. The exploits reportedly relied on security bugs lodged inside the WebKit framework that is used by several mobile browsers.

According to the hacker, malicious code he used in the "attack" handed over the compromised users' Twitter credentials via a netcat command to the so-called patriot hacker. The Jester claims he checked these credentials against a list of known targets before moving on to the next phase of the attack: further exploitation.

"Enemies" of the hacker listed as targets included @AnonymousIRC, @wikileaks, @anonyops, @barretbrownlol (the Twitter address of sometime Anonymous spokesman Barrett Brown) and @RepDanGordon (Rhode Island State Representative Dan Gordon) and others. Gordon made it onto The Jester's hit list for his comments on Twitter referencing Anonymous in what The Jester saw as a sign of approval for the hacktivist group.

The Jester, previously most famous for claiming credit for an application-based DDoS attack against WikiLeaks and for disrupting pro-Jihadist websites, said he raised his permissions on each exploited device. iOS has a default username/password combination of root/alpine, making this step of the process simple on iPhones.

The process is more complicated on Android but even there a variety of attack tools exist. After obtaining these elevated privileges, the Jester then allegedly extracted data from databases on compromised devices, which he claimed allowed him to obtain SMS, voicemail, call logs, and email*.

That's the theory. In practice the hack would have involved taking the next steps in exploits already demonstrated by famed white-hat hacker Charlie Miller and others. In addition, the assault would have relied on users sticking to default SMS and email applications, as explained in an informative commentary of the attack by Johannes Ullrich, a security researcher at the SANS Institute's Internet Storm Centre here.

Damage analysis

It's unclear whether the attack, clever though it was, actually claimed any victims. It's quite possible that the hack was entirely unsuccessful and The Jester is only claiming otherwise in a bid to wind up his enemies and possibly induce them into making a security lapse that he can exploit.

The Jester has wasted little time taunting his intended victims in messages that set out to justify his hijinks, which pose obvious privacy worries for regular smartphone users, as carefully targeted against known "bad guys".

"I had a list of 'targets' twitter usernames I was interested in, these were comprised of usernames of: Islamic Extremists, Al Qaeda Supporters, Anonymous Members, Lulz/Antisec Members," The Jester writes in a blog post entitled Curiosity Pwned the Cat.

"EVERYONE else without exception was left totally 'untouched' so to speak. This was a proof of concept QR-Code based operation against known bad guys, the same bad guys that leak YOUR information, steal YOUR CC nums, and engage in terror plots around the world. I do not feel sorry for them.

"In the interests of convenience I will be taking the liberty of uploading the captured bad-guy data in a signed PGP encrypted file to a suitable location very soon. How's that for 'lulz'?"

The Jester posted a PGP data file from his Webkit Exploit op on Monday night. Since the data is encrypted it could be anything, or nothing. The Jester claims more than 1,200 curious netizens scanned the QR code – of which 500 devices "reverse shelled back to the listening server" (stage one of the attack. He claims that a "significant number" of these 500 were on his 'shit-list' and as such treated as valid targets. The patriot hacker doesn't say how many were compromised, if any.

US state representative Dan Gordon (Republican) reportedly reacted angrily to news that he might have been targeted, threatening to report the patriot hacker to the feds for offences ranging from threatening a state official to hacking the mobile phone of an elected politician. Gordon later said he had not scanned the Jester's QR code and thus could n't possibly have been hacked, via a succession of Twitter updates on Monday pointing to posts that cast doubt on the plausibility of the supposed attack. "@m4yH3mKITTEH @th3j35t3r/fag @ChronicleSU bit.ly/zwevPv More nonsense. Plus, couldn't have executed if I never scanned it, right?", one such Tweet said. ®

Bootnote

* The database for Tweetie holds "Twitter username, recent searches, device UDIDs, among other information", which would make it trivial for The Jester to identify iPhone users who happen to use the default Twitter application on iOS, the ISC explains.

New hybrid storage solutions

More from The Register

next story
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
TorrentLocker unpicked: Crypto coding shocker defeats extortionists
Lousy XOR opens door into which victims can shove a foot
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.