Monday, November 05, 2007

Overperforming Turkish Hacktivists

Last month's Turkish/Sweden hacktivism tensions surprised me mainly because the Swedes responded to the defacements in an entirely different way :

"On Saturday a group of disgruntled hackers posted a comment to the Flashback online forum linking to a stolen database containing thousands of user names and passwords from Turkish forum Ayyldz, the site thelocal.se reported on Tuesday. The Swedes also broke into the e-mail and MSN accounts of Turkish Web users and sent messages using the stolen identities. Among the images in circulation was a pornographic illustration of the Prophet Mohammed and Mustafa Kemal Ataturk, the founder of the modern Turkish state."

How do you keep track of defaced sites "courtesy" of Turkish script kiddies? Zone-h for sure, while in fact there're so many defacements done by Turkish hacking groups, that the hacktivists have localized the defacement achives into Turkish for better transparency, and by doing so it makes Turkish defacements during hacktivism wars much easier to keep track of. Who are the most active Turkish defacers anyway?

Top 5 Turkish Defacers at the first defacement mirror :

U-H-T - 8517
1923turk - 6711
hackpowerteam.org - 5364
By_CECEN - 5230
nadir_piero - 4440

Top 5 Turkish Defacers at the second defacement mirror :

Lonely.Antalya - 1101
Pit10 - 1000
beyrut-KaI3uS - 863
HEXB00T3R - 747
myturkx.org - 675

Lots of data to cross-check for sure. Best of all - it's a real time example of the people's information warfare concept, virtual PSYOPS to be precise. Defacing sites using automated vulnerability scanning and exploitation tools is one thing, embedding malware on the defaced sites is totally another, and while we've been witnessing the emergence of embedded malware during 2007, it's questionable whether it's done for the aggregation of infected hosts into botnets only, or a specific hacktivist cause for instance.