The Islamic State Hacking Division published the names, e-mail addresses, phone numbers and passwords from 1400 people from around the world. The list includes eight Australians who work for the Government including: a Victorian MP, a NSW Health Department worker and Australian Defence Officials.
The release of information came with a message saying, “We are in your emails and computer systems, watching and recording your every move”. It warned “We have your names and addresses [and are] passing on your personal information to the soldiers of the khilafah, who soon with the permission of Allah will strike at your necks in your own lands!”
The purpose of the leak is clear; it is designed to cause fear. With the Australian Government not commenting, in line with established policy, some experts have been whipping us fear, furthering Daesh’s (ISIS’s) objective.
At the Online Hate Prevention Institute we have already dealt with two cases of ISIS related social media accounts seeking to threaten specific targets in Australia earlier this year. We have also dealt with a number of cases of hacking. While concerning for the individuals, in our opinion this media storm is playing into the hands of those who wish to threaten Australia and our free, democratic and liberal society.
Why this isn’t as much of a physical threat as the media makes out
The individuals who were targeted are effectively random except that they work for the Government in some way. Daesh (ISIS) has previously threatened to attack random members of the public. It is far easier to attack a planned location and whoever is there at the time than it is to target a specific individual. Given the “hackers” are likely far removed from any physical attack, it seems very unlikely that someone wanting to carry out a physical attack would make their planning that much harder by trying to focus on a specific individual who is of no particular significance. If they were going to focus on a specific target, they would pick someone higher profile and they would get the information without resorting to social media.
Fear is the real aim
The message that was posted is designed to achieve three aims, and a physical attack is not one of them. The first aim is to cause fear in society. The idea Daesh are “watching and recording your every move” and have your “personal information” draws on existing concerns over online privacy and surveillance.
The second aim is to make the geeks who support Daesh feel empowered and part of the action. Cyber-warfare was a hot topic and seen as a powerful political statement until Daesh began broadcasting its atrocities. Even here the message promotes fear based on online threats, but ultimately falls back on the threat of an attack by Daesh on home soil. Keyboard warriors just can’t compete.
The third reason for this action is to create further fear about the storage of online data and online surveillance in general. It is designed to play on public fears and to create resistance to the very monitoring (by Government) which can help prevent attacks in the future.
What we think actually happened
Based on our experience in cyber-security the leaked information does not seem to be the result of a hack. It seems far more likely to be a compilation of publicly available information combined with some data gathered through phishing. Phishing occurs when users are tricked into giving their username and password to an unauthorised party who may pretend to be a service they trust.
What will have likely occurred is that random members of the public will have been e-mailed a link or come across webpage that asked them to login to their social media account, most likely Facebook. The page will have looked like the regular login screen and they will have entered their username and password, which will then have been recorded. The page will likely have then directed them to the real login page claiming their login failed. The person will then have entered their login information again in the belief there may have made a typing error. As this is now the real site, the login will have proceeded as usual and the person will not be aware they have given away their login credentials.
The attackers will now have a record of an e-mail address (the Facebook username) and a password. They will have tried to access Facebook with these details and potentially gathered further information about the person, e.g. the phone number they have registered with Facebook. They will also have noted if their employer is listed on their profile, or if there is an alternative work e-mail address recorded for the account.
These details would go into a large list which would then be filtered so only those accounts that mention “gov” (for example in a primary or secondary e-mail address) would be used. This list was likely quite short. The next step of Islamic State Hacking Division was to search for other lists of comprised accounts. These will have come primarily from online scammers and fraudsters. Again they would filtered the list looking for government related accounts. As this is primarily a public relations stunt, it wouldn’t matter if the accounts were no longer active or if the details were out of date. The aim is simply to make the list appear larger and therefore to make it look like more of a threat.
The bad news is that at least some of the listed accounts are like to have been phished recently, and as only Government related accounts are listed, there are likely many other accounts which have been compromised but were not listed. The compromised accounts may be used for other purposes in the future including scams and fraud. This, however, has nothing to do with the threats of violence the media has been highlighting.
Staying safe online
There are a few things you can do to stay safe online. If you use Facebook or Gmail, enable two-step authentication. With two-step authentication a one-time code is needed each time a new device tries to access your account. The code is sent to your mobile via SMS, or accessed using a code generator installed on your phone. Setting this up at home, at work, and on your phone will only take a few minutes and will give you significant peace of mind. It will create an extra step when you need to access your account from a different computer for the first time, but this is a small price to pay to being secure. More on this can be seen in our online guides.
Another useful tip is to change your passwords regularly, and to ensure you are using different passwords for different online services. It is essential that if the password to one account is compromised, that won’t lead to the other accounts being guessed. Do not use your e-mail or social media password when filling in online forms or registering for new online services.
The message to take home
The bluster from Islamic State Hacking Division is designed to create fear in society. It is designed to make it hard for us to go about our daily lives. It is in short designed to terrorise us. The best response to that is to double our termination to go on with our lives as before.
We must live by our democratic values, protect our civil liberties, and support efforts by government to tackle crime and violent extremists including those who make threats online. These values do at times conflict. Through public debate, parliamentary debate, and courts that uphold the rule of law, we chart our way forwards as a nation. As a nation we won’t be pushed into action or fear by the acts of violent extremist or amateur hackers.
There is, however, still a sobering lesson in this. As reliance on internet technology has increased, from social media accounts to web-based e-mail systems and file storage, the degree of harm we face if our accounts are compromised has also increases. We want access to online system in a way that is simply and hassle free. Our e-mail accounts often serve as master keys allowing us to reset passwords across other accounts. We don’t take our account security seriously enough and scammers, impersonators and fraudsters take advantage.
The phishing by “Islamic State Hacking Division” may in reality be no more dangerous than any other compromising of online accounts. That said, the latest report shows that there were 123,972 unique phishing setups created in the second half of 2014. Each of these would target a large number of people, possibly tens of thousands, and the Islamic State Hacking Division would likely account for only one of them. There is a serious problem and we need to learn to do more to protect ourselves online. We are our own weakest link and we need to do better.
Please help us spread the important safety information in this article by sharing this briefing:
As Australia’s only harm prevention charity dedicated to the threats of online content we cover a wide range of topics from threats of violent extremism (as discussed in this article) to cyber-racism, trolling and bullying. Your support via our Facebook page will help in our work to keep the public safe. You can also stay informed about our work by joining our mailing list for a monthly summary of our activities.