Early Thursday morning, a Forbes senior executive was woken up by a call from her assistant, saying that she'd be working from home due to a forecast predicting the snowiest day of the year. When she ended the call, the executive saw on her Blackberry that she had just received a bluntly worded email that seemed to have been sent by a reporter at Vice Media, asking her to comment on a Reuters story linked in the message.
Any other time, she says she would have waited to read the linked story later at the Forbes office. But with the sale of the 96-year-old media company pending, she was on the alert for news. Groggily stepping out of bed, she grabbed her iPad, opened the email in her Forbes webmail page through a shortcut on the device's homepage and tapped the emailed link.
In her half-asleep state, she was prompted for her webmail credentials and entered them, thinking her access to the page had timed out. When the link led to a broken url on Reuters' website, she got dressed and began her snowy commute from Brooklyn to Manhattan without a second thought. "It was so insidious," she says. "I didn't know I had been hacked for another two hours."
An image of the Syrian flag that was uploaded to Forbes' WordPress image server when hackers gained... [+]
In fact, the phishing email had set in motion a two-day cat-and-mouse game with Syrian Electronic Army (SEA) hackers who would deface the Forbes website and backend publishing platform, attempt to post market-moving news, steal a million registered users' credentials, and briefly offer them for sale before leaking the data online.
Update: Forbes' Kashmir Hill has interviewed a spokeperson for the SEA who offered some further explanation of the motivations and methods behind the attack.
Compared with the Chinese attack that penetrated the New York Times in 2012 or the cybercriminal theft of millions of credit card numbers from Target late last year, the SEA attack of Forbes doesn't seem to have been technically complex. But the hackers were nonetheless clever and persistent enough to stay a step ahead of the media company’s security measures. A week later, Forbes staff still haven't entirely ended a partial email and publishing lockdown designed to prevent the attackers from breaching the site again and limit the damage if they do regain access.
Forbes' chief product officer Lewis Dvorkin has already shared some details of the attack along with his thoughts on the incident. On Wednesday morning, users were again allowed to log in to the Forbes site and required to choose new, stronger passwords.
But in the interest of transparency--and out of a sense that we should subject ourselves to the same journalistic scrutiny as the subjects of our stories--fellow reporter Kashmir Hill and I have assembled a timeline based on our experience of the hack, as well as interviews with those staffers who were willing to speak with us.
Here's what we've learned, with approximate times marked:
Thursday, 6:15am: A Forbes senior executive received a phishing email from a compromised Vice Media email account with a link to a fake Reuters story about Forbes. The link led to a spoofed webmail login where she shared her email credentials. (I reached out to Vice to ask about the possible compromise of the company’s email, but didn’t get a response.)
7:45am: The senior executive's hacked account was used to send a second round of phishing emails to Forbes staffers, again asking them to check out a supposed news story about Forbes. A Forbes editorial staffer working from home who had disregarded the earlier, more suspicious-looking phishing attempt was duped by this second round of emails. "The imprimatur of [the senior executive] suggested something was actually going on here," he says. “I’ve been kicking myself black and blue over this.”
The editorial staffer, who had "super-administrator" privileges on Forbes' WordPress publishing platform, entered his email credentials into a fake webmail login page. When the link took him to an old NBC News story, he realized he'd been phished and alerted the Forbes IT department, who reset his email credentials.
8:15am: A Forbes IT administrator sent out a warning to staffers about the phishing attempts.
10:00am: A financial reporter fell for a stealthier version of the phishing attempt. As he describes it, he clicked on the link in the Vice phishing email but didn’t enter his email credentials. When he returned to WordPress to continue blogging, however, he was prompted again to log in again. Two new posts appeared on his blog almost immediately. One read, "BREAKING: US Treasury declares all foreign T-bills void. Yellen to hold a press conference in 15 minutes," and another, "Yellen to press: ‘We can no longer tolerate China’s currency manipulation.’”
When we ran this series of events by web hacking expert and Whitehat Security founder Jeremiah Grossman, he speculated that the phishing email link performed an attack known as a Cross-Site Request Forgery that hijacked the reporter's browser to post the stories. Forbes staff say now that they haven't ruled out the possibility that malware may have also been installed on his machine, though Grossman says he doubts this is the case.
In less than five minutes, an editor spotted the fake news stories and took them down.
In her interview with a spokesperson for the Syrian Electronic Army, my colleague Kashmir Hill was told that the fake headlines were an attempt to divert Forbes' attention while they burrowed deeper into the site.
10:15am: The Forbes operations staff decided to lock users out of WordPress until they could address the compromise of the site. "We realized that this had escalated and become a real problem," says Forbes chief operations officer Mike Federle. "We jumped into code red."
Over the next hours, they reset the credentials of all Forbes users with super-administrator privileges along with any other users who said they'd fallen for the phishing scheme, notifying them of their new credentials one-by-one in person or over the phone to avoid using email after the previous phishing schemes.
6:00pm: The site was reopened to users.
7:00pm: The hackers changed a headline on social media editor Alex Knapp's blog page to "The Syrian Electronic Army Was Here." Although the Syrian Electronic Army later wrote on their Twitter feed that their entire attack could be blamed on Knapp, this seems to have been misdirection. The defacement of his page was performed using the same editorial staffer's super-administrator account that had been first compromised that morning. In the short time before his email credentials were changed by the Forbes IT staff, the hackers had gained access to the editorial staffer's high-privilege WordPress account by exploiting WordPress's "forgot password" function and resetting his publishing account password from his compromised email inbox.
In fact, Forbes staff now believe the hackers may have used their initial access to the super-admin WordPress account to change both the email address and the social networking accounts--such as Linkedin, Twitter, Google+, and Facebook--associated with it. So despite the editorial staffer's WordPress credentials being changed earlier in the day, they were able to quickly regain access to the account by again triggering the "forgot password" function and accessing the reset email sent to their own account.
7:10pm: The site was again locked down to prevent further compromise. After discovering that the hackers had changed the email addresses associated with compromised users' WordPress accounts, Forbes staff changed back to the users' addresses.
Midnight: The site was reopened to users.
Friday, sometime between 12:30am and 3:30am: The hackers again accessed the same editor's super-administrator account on WordPress, possibly taking advantage of his altered social logins. Though Forbes staffers had fixed the email address associated with the account, they say they may not have changed the social accounts connected with it.
3:30am The hackers used the editor's account to deface the blog pages of six more Forbes staffers--including mine--with the phrase "Hacked By The Syrian Electronic Army." Some of these staffers had linked their Twitter accounts with their WordPress accounts, so that the SEA message also appeared on their personal Twitter feeds.
3:40am: The site was locked down for a third time.
7:30am: After social logins were disabled, the site reopened.
8:00am: Using a method that's still not clear, the hackers regained access yet again to the editor's account--possibly by exploiting a vulnerability in a WordPress plugin that allowed them to insert malicious code into the site. They changed the Forbes WordPress installation theme, inserting their own logos and a Syrian flag designed from ones and zeroes. At some point, they also inserted code into the top post linked on the site's homepage so that it redirected thousands of users to the Syrian Electronic Army's Twitter feed.
11:30am: Forbes administrators were forwarded an email from a hacker named Ethical Spectrum that had been sent to seemingly random staffers earlier in the day. The message said he or she had stolen the entire Forbes database of registered usernames, emails, and passwords, and went on to demand what may have been a ransom. Just how the data was stolen isn't exactly clear, but WordPress does allow users with super-administrator privileges to export the full user database.
The message from Ethical Spectrum, who also took credit for an attack on video game company Supercell earlier this month, read as follows:
Hello Forbes. I found gabs in your servers thats allowed me to download all your databases. i can help you to avoid this again. but i want something in return like fees. the proof that i hacked your databases is this screenshot. its only 1 million user. NOTE: I have some roles. ROLE NUMBER 1. Do not delay in reply.
It was followed by a screenshot showing a few users' credentials and passwords, which WordPress had cryptographically hashed to make them unreadable.
At this point, Forbes administrators locked down the site again and called the FBI.
When we contacted Ethical Spectrum for comment, he claimed he wasn’t associated with the Syrian Electronic Army, and had only learned of the attack from the Syrian Electronic Army’s Facebook page. The Syrian Electronic Army spokesperson also claimed that the group wasn't associated with Ethical Spectrum.
12:35pm: The Syrian Electronic Army announced on its Twitter feed that it had hacked Forbes. It later wrote that it had gained access to the million-user database, and asked for bids from possible buyers before declaring that it would release the hacked usernames, emails and hashed passwords for free. It published the database Friday night.
The Syrian Electronic Army may not be finished with Forbes just yet. On Twitter, it claims to have “one last thing” to reveal from the attack.
Forbes’ staff, meanwhile, spent the last five days in recovery mode, enlisting an incident response firm to suss out and patch any of the site’s remaining entry points for the hackers.
In future posts, we plan to provide updates on Forbes’ response to the attack, how it changes our security practices, and the lessons it holds for the company as well as for other potential hacking targets. Forbes is hardly the first media outlet to be hit by the Syrian Electronic Army. It likely won’t be the last.
With reporting contributed by Kashmir Hill.
