The hacktivists are displeased with a presentation about the group

Apr 29, 2014 13:54 GMT  ·  By

The Syrian Electronic Army has redirected the visitors of the RSA Conference website to a defacement page. The attack was carried out in response to an RSA Conference presentation in which Secure Mentem President Ira Winkler talked about the Syrian Electronic Army’s hacking methods. 

In his presentation, Winkler made fun of the Syrian Electronic Army and the hackers didn’t like it. The SEA became aware of the presentation after a video was published on the RSA Conference’s website.

“We were enjoying our summer peacefully, but the annoy of cockroaches like [Ira Winkler] and other security firms led to 3 reports about SEA,” the hackers wrote on Twitter.

On the page to which the visitors of the RSA Conference website were redirected, the hacktivists wrote, “Dear Ira Winkler, Do you think that you are funny? Do you think that you are secure? You are NOT. If there is a cockroach in the internet it would be definitely you.”

In a blog post published on Monday, Winkler explained that the hackers didn’t actually hack into the RSA Conference’s website. Instead, they redirected the site’s visitors to a defacement page by leveraging Lucky Orange, an analytics tool installed on the website.

The expert explained that the hacktivists sent out phishing emails to the staff of the DNS hosting company used by Lucky Orange. They sent employees emails purporting to come from the company’s CEO. The messages instructed recipients to read a BBC article about the firm.

When they clicked the link, employees were taken to a phishing website. An account executive fell for it and provided the hackers with the credentials needed to log in to the customer account management system.

Once they had access, they reset the Lucky Orange password and logged in to the control panel.

When a website that uses Lucky Orange is visited from a computer with JavaScript enabled, the analytics tool makes a call to an external website located at w1.livestatserver.com/w.js.

“They reset the address of the ‘w1’ subdomain of the livestatserver.com domain which sent calls to w1.livestatserver.com to a server controlled by the SEA,” Winkler explained.

As a result of the modifications made by the SEA, all of the RSA Conference website’s visitors were directed to the defacement image. Other websites using Lucky Orange were also impacted.

The Syrian Electronic Army says there are a total of three reports about the group (three reports that they don’t like), so they warn that there will be three attacks.