Twitter Accounts in Venezuela under attack by pro-government hackers

But how? And how to prevent this from happening to you?

Today I was checking the recent tweets from the people I follow after many days of inactivity.
I do not follow anyone that talks about politics, as this is the most boring and stressing topic on the Internet. However, today I learned about a new “wave of unprecedented hacking” that several twitter users in Venezuela were experiencing.
Rumor has it that a group of pro-government hackers had finally gotten a hold of the login information for at least 6 people from the government-opposition community.
The stolen information was apparently related to their emails and twitter accounts.
Obviously, these so-called “hackers” would try to make a big deal out of it as it is normal on the minds of those who claim such glory over something so low that is unfortunately so easy to do.
It would be hard for me to know exactly or with a 100% certainty of how those accounts are being hacked unless I know case by case about the circumstances of each of the account owners; but I can think of a few ways that this can be accomplished easily and I will offer some advise on what to do in order to prevent this from happening to you or at least to make it very hard for these so-called hackers.
One of the things that caught my attention was the fact that not only their twitter accounts were hacked, but also their email addresses as well.
This can not be coincidence and common sense tells me that it was not their twitter account that was stolen, but their email passwords were compromised and therefore, their twitter accounts and anything that is tied to their emails. Like Twitter, Facebook and yes, unfortunately, their bank accounts.
Knowing this, the first thing that came to my mind was “key loggers”. (method 1)
They are invisible, they are real, they work and I have used them in the past.
They can be installed in seconds on any computer (mostly windows-based PC) and if you do the installation right, you can have any activity, passwords, chats, screen-prints, keystrokes, page visited, and even camera snapshots sent periodically to any email address of your choice without the victim even knowing this is happening.
You can even configure the key logger to bypass the firewalls installed on your computer and remain invisible on you computer. They won’t even show on the list of installed software’s. and you won’t be able to uninstall it unless you format your hard drive.
Almost every cyber-cafe would have key loggers installed on their computers. Not by the owners of the establishments but by unscrupulous visitors that want to steal people’s passwords and accounts information. This is what happened to my dad in Italy when he went to a local cyber-cafe to check his bank account balance. Before he knew, he had a lot of money missing from his account in a matter of days.
There are also some key loggers that don’t involve software installation and are even easier to place on desktop computers in just three seconds. They are called “hardware key loggers”. Like the one shown on the picture. It’s basically a little attachment that goes on the end of the keyboard and will record everything that was typed on your keyboard.
Now, here is the thing. Both of these methods require that the “low-moral character” have access to your PC or laptop for at least a few minutes.
This might not be the case in Venezuela where several personalities from the opposition had their twitter accounts hacked in such a short amount of time. I really don’t see people in Venezuela leaving their laptops out of sight for more than a few seconds. In fact, most of the twitter users in Venezuela tweet from mobile devices such as Blackberries or iPhones. So what could be happening here?
Unless they have key loggers installed on their computers at work, the other obvious answer is that they were victims of the so-called “phishing hack” (method 2). Basically the perpetrators will send emails containing carefully design pages that would lure the victims into providing their login credentials on a page that looks identical to a page commonly visited by the victims. For instance, I sometimes receive emails from my bank saying something alarming like “your account is being placed on hold for your safety, please log in to your account to resolve this issue”.
If I didn’t know better, I would be terrified of reading such thing and would fall in the trap. Thousands of people are victims of this form of account theft every day because they do log in into this fake page that looks just like the real thing except that the server belongs not to the bank, but to the thieves and it’s recording every piece of information you type.
Take a look at this second picture and see an example of a fake login page. It basically shows a page that looks very realistic but noticed how the server address is different (but very similar) to the authentic one. Also, noticed how there is no icon showing that the site is secured (usually it’s a icon of a lock on the address bar, indicating that the server is secured and encrypted).
If the victims didn’t fall for this one, then there is yet another method that can be attributed to this online identity theft suffered by these fellowmen in Venezuela.
It’s called Cookie Theft. (method 3).
To know what cookie theft is, you must first know what a cookie is.
A cookie is a tiny file downloaded by your Internet browser through a website. It is often used to track users, store information, or save settings. However, it is important to know that not all websites use cookies. In fact, majority doesn’t. A solid hint as to knowing whether a website uses cookies is simply available by looking at its content. If there are user selected options that are saved once clicked, and/or a login area, then chances are that cookies are being used to store this information. Some websites, such as Google, use them more secretly to do statistical analysis relating to user activities (Note: I’m referring to the search engine itself, not their Gmail, Shopping Cart, etc). Cookie theft, in short, is the act of stealing another user’s logged session.
Thankfully, most cookies do NOT contain passwords. Instead, “Session IDs” can be used, which contain a script-generated series of letters and numbers, usually in conjunction with the username. But once inside a session of say, an email, the thief can request another password and therefore takeover the account. All it takes is to write a piece of code into the website visited by the victim that would send the cookie information recorded on the browser to the attackers file of choice. Usually a txt file on the server.
There is another method that would explain how these accounts were hacked in such short amount of time, but it would imply an unprecedented level of corruption by the owners of the ISP (Internet Service Provider). But given the circumstances, and the fact that the biggest ISP in Venezuela (CANTV) is owned and managed by the government, I would dare to mention how this could work without suggesting anything . Basically it would work by installing a “sniffer” which is kind of like a key-logger but at the servers that direct the internet transmissions back and forth. This would not record or reveal the password, but it can allow the theft of cookies and sessions if they can somehow manage to direct this attack by carefully selecting which IP address to target. This would imply the support of a team of hackers with some money to spend on the equipment needed and the time it will take them to sniff and isolate the IP address of their victims.
This is being used all the time by the US government which they like to hide under the magic words: “National Security” or “Patriot Act”. This technique may very well be used by the Venezuelan government to target their opposition and finally have control of the most dangerous weapon they have: The Social Networks. In this case I recommend to open your account from an internet connection that is not yours, using a new email address and not the same you always had.

It is too soon to know but if I have to guess or take a pick based on what I know, I would probably say that these victims were hacked by using the technique #2. Password phishing. But if the number of hacked accounts keep growing, one would assume that the problem is even bigger and the venezuelan government had finally found a few guys that can do the dirty work of accessing the servers at CANTV and actually installing a session sniffer to target their victims.
In order to prevent this online identity theft or at least to make it hard to crack there are a few things you can do to help. The most important advise I can give you is to tweet more from your mobile device and if you log in with any of your accounts from the main computer (which most likely has a static IP address) then you should Log out after every session!! Don’t leave any open session that can help these hackers do their thing.

1) If you receive an email with a link to anything. Be suspicious. Specially if once you click on the link it brings up a page where you have to enter your credentials. These days, the largest email providers like Gmail, Hotmail or Yahoo will not send you such emails. Be very suspicious and always check the address of the page. Make sure is legit and it leads to an encrypted and protected page.
2) Never use another computer to log in unless it’s yours! No exceptions. Not even if the computer belongs to a friend.
3) Try to detect if your computer has a key logger installed. If on windows, you can click on Alt-Ctrl-DEL and then check your system process to make sure there is nothing “funny” there running silently on the background. You could also use Anti-key logger software’s that would detect them and neutralize them temporarily.
4) Try to connect to the internet using dynamic IP’s. For instance, every time you connect using a 3G network, your IP address is most likely going to be different then the one you had before. This would help if the attack is coming from the main servers which sounds very odd in any country except for Venezuela, where everything is possible.
5) If you suspect that you have a key logger on your PC then don’t log in at all, and if you really must do it, then try to log in but at the same time confusing the attacker.
Use a screen keyboard like the one that comes with windows. Go to Start, All Programs, Accessories, then click Ease of Access, and then click On-Screen Keyboard.
Alternating between typing the login credentials and typing characters somewhere else in the focus window can cause a key logger to record more information than they need to, although an attacker could filter this out. Similarly, a user can move their cursor using the mouse during typing, causing the logged keystrokes to be in the wrong order e.g. by typing a password beginning with the last letter and then using the mouse to move the cursor for each subsequent letter. Lastly, someone can also use context menus to remove, cut, copy, and paste parts of the typed text without using the keyboard. An attacker who is able to capture only parts of a password will have a smaller key space to attack if he chose to execute a brute-force attack. Another very similar technique utilizes the fact that any selected text portion is replaced by the next key typed. E.g. if the password is “secret”, one could type “s”, then some dummy keys “asdfsd”. Then these dummies could be selected with mouse, and next character from the password “e” is typed, which replaces the dummies “asdfsd”.
Lastly, use difficult password that are hard to decipher and always use an email address for your important stuff and one for the not so important. This had worked wonders with me. I use one email address to input every time I don’t want to give my personal one. I always assume that my email will be spammed like crazy and I’m right. I just don’t check this email unless I need to confirm a subscription. But my real, personal and beloved email address remains clean and it is the one I use for my bank accounts, and other important accounts.
Remember to always use judgment.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *