Viber admits to swallowing ‘Syrian Electronic Army’ phishing bait

Viber admits to swallowing Syrian Electronic Army phishing bait

The Syrian Electronic Army (SEA) claimed on Tuesday that it had taken over the support page for instant messaging/VoIP service Viber.

SEA post

The Syrian Electronic Army hacked today the website and the database of the Israeli-based "Viber" app. The SEA downloaded some of the app databases and after we gain access to some systems of that app, it was clear for us that the purpose of this app is spying and tracking of its users. The SEA hacked the support page of the Viber app and uploaded screenshots of one of the app systems in addition to the app administrators names/phone numbers Viber itself announced that the claims are overblown and that only two minor systems were breached - a customer support panel and a support administration system.

TechCrunch published a statement from Viber, which said that no sensitive user data was breached.

Viber didn’t confirm that the SEA was responsible for the breach.

The company blamed the takeover on a phishing attack that succeeded against an employee.

Viber’s statement:

Today the Viber Support site was defaced after a Viber employee unfortunately fell victim to an email phishing attack. The phishing attack allowed access to two minor systems: a customer support panel and a support administration system. Information from one of these systems was posted on the defaced page.

It is very important to emphasize that no sensitive user data was exposed and that Viber’s databases were not “hacked”. Sensitive, private user information is kept in a secure system that cannot be accessed through this type of attack and is not part of our support system.

We take this incident very seriously and we are working right now to return the support site to full service for our users. Additionally, we want to assure all of our users that we are reviewing all of our policies to make sure that no such incident is repeated in the future.

Initially, the defaced online helpdesk page bore a blue banner that read “Hacked by the Syrian Electronic Army.”

According to E Hacking News, the defaced support page advised visitors that the app is “designed for spying and tracking.”

The defaced page read:

Dear All Viber Users,

The Israeli-based 'Viber' is spying and tracking you

We weren't able to hack all Viber systems, but most of it is designed for spying and tracking

The SEA also put up a screenshot of what looked like an internal database showing phone numbers, device UDID, country, IP address, operating system and version, first registration to Viber, and what version of Viber they use.

As Graham Cluley noted, the phone numbers shown in the screenshot all had the international dialing code of 963, which is Syria’s code.

The SEA also Tweeted that Viber users had best delete the app:

Warning: If you have "Viber" app installed we advise you to delete it

In recent months, the SEA has hacked a host of sites, including Financial Times blogs, satirical news site The Onion, Guardian Twitter accounts, National Public Radio in the US, and the BBC Weather’s Twitter account, among other Twitter accounts.

Viber logoAs of Wednesday morning, Viber’s support page was showing a 403 Forbidden error message, which is an HTTP status code shown by a web server when a visitor isn’t permitted to access a given URL.

The hackers have told E Hacking News that they still have access to the company’s systems.

Viber launched in 2010 as a direct competitor for Skype.

Founded by an American-Israeli, the company has centers in Belarus and Israel. In 2011, online news pub Israel21c declared it one of the top 10 iPhone apps in Israel.

Is it a surveillance tool? I can’t imagine any mobile app that isn’t, frankly. They collect quite a bit of data on users.

What’s done with that data is another matter, as the PRISM stories about widespread surveillance by the US National Security Agency have illustrated.

What we do know is that the SEA, like many other rogue and criminal online outfits, uses phishing to great advantage.

That’s how it took over The Onion, for example, using three separate methods that breached employees’ Google Apps accounts.

Viber’s policy review in the wake of the breach will surely include phishing defense training, I would assume.

Any other organisation that doesn’t want the SEA, or other wrongdoers, taking it over, would be wise to review their own policies before it suffers a similar fate to Viber.