How feds used Gmail and Facebook to track down two Syrian hackers
Today, the Department of Justice put out arrest warrants for two hackers linked to the Syrian Electronic Army. Ahmad Umar Agha and Firas Dardar are allegedly responsible for seven extortion attacks, including attacks on a gaming company and an online media outlet. As of today, there is a $100,000 reward for any information leading to their arrest. But while the pair attacked a number of prominent targets, they weren’t very careful about keeping their operation secret, relying on Gmail and Facebook accounts that were easily accessible to law enforcement.
The Syrian Electronic Army has a well-earned reputation for mayhem, and Agha and Dardar seem to have lived up to it. According to the complaint, the two broke into a number of prominent and trusted Twitter accounts, including Reuters, Associated Press,and The Washington Post, but they were also engaged in more profitable attacks. The complaint describes a pattern of phishing attacks and database pillaging, followed by demands for as much as €300,000. In those messages, Agha and Dardar typically referred to themselves as “ethical hackers,” while demanding money to not sell the company’s data to a third party.
Much of the information presented in the complaint comes directly from searches of the pair’s various Gmail accounts. Dardar in particular made a number of extortion demands from firstname.lastname@example.org, giving investigators probable cause to search the account. The same inbox contained scanned attachments of identification documents in Dardar’s name, as well as emails addressing the user as “Feras Dardar” or “Firas Nour Alden Dardar.”
In one quoted incident from April 2013, the hackers were also caught communicating over Facebook, where conversations were easily accessible to investigators.
The biggest problem for the attacks was collecting payment. Even after targets had agreed to pay, sanctions against payments into Syria made it difficult to directly collect many of Dardar’s bounties, instead relying on an intermediary in Germany. Dardar also identified himself a number of times in trying to accept payment, including one request to a Syrian account in his own name.
Both Dardar and Agha are still at large, believed to be residing in Syria, which will make the Department of Justice’s new warrant hard to serve. Still, it’s a reminder of how much can be revealed by searching a suspect’s Gmail or Facebook account.
“While some of the activity sought to harm the economic and national security of the United States in the name of Syria, these detailed allegations reveal that the members also used extortion to try to line their own pockets at the expense of law-abiding people all over the world,” said Assistant Attorney General John Carlin in a statement. “The allegations in the complaint demonstrate that the line between ordinary criminal hackers and potential national security threats is increasingly blurry.”
Source | TheVerge