Continuing the "FBI Most Wanted Cybercriminals" series I've decided to continue providing actionable threat intelligence on some of the most prolific and wanted cybercriminals in the World through the distribution and dissemination of actionable intelligence regarding some of the most prolific and wanted cybercriminals.
Following a series of high-profile Web site defacement and social media attack campaigns largely relying on the utilization of good-old-fashioned social engineering attack campaigns - it appears that the individuals behind the Syrian Electronic Army are now part of FBI's Most Wanted Cyber Watch List which means that I've decided to conduct an OSINT analysis further sharing actionable intelligence behind the group operators with the idea to assist law enforcement and the U.S Intelligence Community with the necessary data which could lead to a successful tracking down and prosecution of the team behind these campaigns.
In this post I'll provide actionable intelligence on the group behind the Syrian Electronic Army including actionable intelligence on the infrastructure on some of their most prolific social engineering driven campaigns.
Sample Personal Photo of Ahmad Al Agha:
Sample Screenshots of the Syrian Electronic Army Web Site Defacement Activity:
Related domains known to have participated in the campaign:
hxxp://quatar-leaks.com
hxxp://net23.net
hxxp://secureids.washpost.net23.net
hxxp://mail.hrw.net84.net
hxxp://soul.websitewelcome.com
hxxp://blog.conservatives.com/wp=content/uploads/cnn.php
hxxp://ikhwansuez.net/cnn.php
hxxp://klchr-pshr.com/bo.php
hxxp://gloryshipsghana.com/wh.php
hxxp://centriplant-dev.coreware.co.uk/wp-content/blogs.dir/ob.php
hxxp://deliveryroutes.co.uk/ch.php
hxxp://sws-schulen.de/gn.php
hxxp://sws-schulen.de/ut.php
hxxp://kulalars.com/jwt.php
hxxp://karisdiscounts.com/nasa.php
Related IPs known to have participated in the campaign:
hxxp://91.144.20.76
hxxp://194.58.88.156
hxxp://88.212.209.102
hxxp://141.105.64.37
hxxp://213.178.227.152
hxxp://82.137.248.2
hxxp://82.137.200.5
hxxp://94.252.249.94
hxxp://5.149.101.187
hxxp://82.137.248.3
hxxp://76.73.101.180
hxxp://82.137.248.3
hxxp://81.137.248.4
hxxp://82.137.248.5
hxxp://82.137.248.6
hxxp://91.144.18.219
hxxp://178.52.134.163
hxxp://78.46.142.27/~WH
hxxp://78.46.142.27/~syrian
hxxp://46.17.103.125
hxxp://46.57.135.14
hxxp://188.139.245.9
hxxp://82.137.250.235
Social Media Accounts:
hxxp://twitter.com/Official_SEA
hxxp://twitter.com/ThePro_Sy
hxxp://instagram.com/official_sea3/
hxxp://pinterest.com/officialsea/
hxxp://www.facebook.com/sea.theshadow.716
hxxp://linkedin.com/pub/th3pr0-sea
hxxp://plus.google.com/116471187595315237633
hxxp://flickr.com/photos/th3pr0
hxxp://foursquare.com/user/29524714
Skype account IDs known to have participated in the campaign:
syria.sec
koteba63
koteba
sea.shadow3
the.shadow21
tiger.white20
nana.saifo10
nana.saifo
Related emails known to have participated in the campaign:
th3pr0123-ap2@gmail.com
th3pr0123@gmail.com
whitehouse-online@hotmail.com
whitehouse_online@hotmail.com
sea.the.shadow@gmail.com
leakssyrianesorg@gmail.com
leaks.syrianes.org@gmail.com
syrian.es.sy@gmail.com
syrianessy@gmail.com
sea.wr4th@gmail.com
pr0@hotmail.nl
sy@hotmail.com
sy34@msn.com
killboy-1994@hotmail.com
jl0@hotmail.com
cf3@hotmail.com
zq9@msn.com
doom.ceasar@gmail.com
y8p@hotmail.com
rq1@hotmail.com
cf3@hotmail.com
wassemkortab@yahoo.com
sf0725zq0330@dressmall.com
adam.magdissi@hotmail.com
bf6@hotmail.es
b-6f@hotmail.com
bg_@hotmail.com
asdelylord@hotmail.com
i-8u@hotmail.com
b-8q@hotmail.com
tiger.tiger248@gmail.com
nagham_saifo@hotmail.com
edwinjouhansyah@gmail.com
sea.coders@hotmail.com
We'll continue monitoring the campaign and post updates as soon as new developments take place. Continue reading →
Following a series of high-profile Web site defacement and social media attack campaigns largely relying on the utilization of good-old-fashioned social engineering attack campaigns - it appears that the individuals behind the Syrian Electronic Army are now part of FBI's Most Wanted Cyber Watch List which means that I've decided to conduct an OSINT analysis further sharing actionable intelligence behind the group operators with the idea to assist law enforcement and the U.S Intelligence Community with the necessary data which could lead to a successful tracking down and prosecution of the team behind these campaigns.
In this post I'll provide actionable intelligence on the group behind the Syrian Electronic Army including actionable intelligence on the infrastructure on some of their most prolific social engineering driven campaigns.
Sample Personal Photo of Ahmad Al Agha:
Sample Personal Photo of Firas Nur Al Din Dardar:
Sample Web Site Defacement Screenshot courtesy of "The Shadow":
Related domains known to have participated in the campaign:
hxxp://quatar-leaks.com
hxxp://net23.net
hxxp://secureids.washpost.net23.net
hxxp://mail.hrw.net84.net
hxxp://soul.websitewelcome.com
hxxp://blog.conservatives.com/wp=content/uploads/cnn.php
hxxp://ikhwansuez.net/cnn.php
hxxp://klchr-pshr.com/bo.php
hxxp://gloryshipsghana.com/wh.php
hxxp://centriplant-dev.coreware.co.uk/wp-content/blogs.dir/ob.php
hxxp://deliveryroutes.co.uk/ch.php
hxxp://sws-schulen.de/gn.php
hxxp://sws-schulen.de/ut.php
hxxp://kulalars.com/jwt.php
hxxp://karisdiscounts.com/nasa.php
Related IPs known to have participated in the campaign:
hxxp://91.144.20.76
hxxp://194.58.88.156
hxxp://88.212.209.102
hxxp://141.105.64.37
hxxp://213.178.227.152
hxxp://82.137.248.2
hxxp://82.137.200.5
hxxp://94.252.249.94
hxxp://5.149.101.187
hxxp://82.137.248.3
hxxp://76.73.101.180
hxxp://82.137.248.3
hxxp://81.137.248.4
hxxp://82.137.248.5
hxxp://82.137.248.6
hxxp://91.144.18.219
hxxp://178.52.134.163
hxxp://78.46.142.27/~WH
hxxp://78.46.142.27/~syrian
hxxp://46.17.103.125
hxxp://46.57.135.14
hxxp://188.139.245.9
hxxp://82.137.250.235
Social Media Accounts:
hxxp://twitter.com/Official_SEA
hxxp://twitter.com/ThePro_Sy
hxxp://instagram.com/official_sea3/
hxxp://pinterest.com/officialsea/
hxxp://www.facebook.com/sea.theshadow.716
hxxp://linkedin.com/pub/th3pr0-sea
hxxp://plus.google.com/116471187595315237633
hxxp://flickr.com/photos/th3pr0
hxxp://foursquare.com/user/29524714
Skype account IDs known to have participated in the campaign:
syria.sec
koteba63
koteba
sea.shadow3
the.shadow21
tiger.white20
nana.saifo10
nana.saifo
Related emails known to have participated in the campaign:
th3pr0123-ap2@gmail.com
th3pr0123@gmail.com
whitehouse-online@hotmail.com
whitehouse_online@hotmail.com
sea.the.shadow@gmail.com
leakssyrianesorg@gmail.com
leaks.syrianes.org@gmail.com
syrian.es.sy@gmail.com
syrianessy@gmail.com
sea.wr4th@gmail.com
pr0@hotmail.nl
sy@hotmail.com
sy34@msn.com
killboy-1994@hotmail.com
jl0@hotmail.com
cf3@hotmail.com
zq9@msn.com
doom.ceasar@gmail.com
y8p@hotmail.com
rq1@hotmail.com
cf3@hotmail.com
wassemkortab@yahoo.com
sf0725zq0330@dressmall.com
adam.magdissi@hotmail.com
bf6@hotmail.es
b-6f@hotmail.com
bg_@hotmail.com
asdelylord@hotmail.com
i-8u@hotmail.com
b-8q@hotmail.com
tiger.tiger248@gmail.com
nagham_saifo@hotmail.com
edwinjouhansyah@gmail.com
sea.coders@hotmail.com
We'll continue monitoring the campaign and post updates as soon as new developments take place. Continue reading →
RSS Feed