“Opportunities multiply as they are seized.” – Sun Tzu
I’ve been talking about how jihadis have been using the internet to conduct radicalization, recruitment, propaganda operations and even the training of homegrown threats for years. Recently it seems that other people, not least the mainstream media are finally catching on. There’s a lot of hyperbole too, with phrases like ‘ISIS hackers’ and ‘Cyber Jihad’ being tossed around. This post will demonstrate by way of example the current general skill set levels of your average online jihadist forum administrator.
For this demonstration I’ll be using the jihadi forum ‘http://alfidaa.biz‘ which has been around since 2010, specifically Thursday May 27th at 20:37pm 2010. It’s currently hosted in Portugal by RedeVF Tecnologias de Informacao and sits on an Apache web server on IP 18.104.22.168. It appears to be a dedicated VPS (not shared) as the only other domains pointing to this IP address are variations of their own, namely www.al-fidaa.com and www.alfidaa.info. This tells us it’s not a free provider, they have money, and someone is paying for the box. More on who later in this post.
THEIR FIRST MISTAKE
If you visit ‘http://alfidaa.biz’ you are greeted with nothing, a 403 forbidden notice. This indicates an empty web server root directory, and the server has directory indexing turned off in the Apache server directives.This ‘playing dead’ tactic jihadist webmasters use is very common and I have done a post on it way back in September 2012 here, if you are interested. Basically what they have done is delete everything from the root directory in an attempt to fool passers-by and search spiders into skipping on by, nothing to see here – as you can see:
Luckily it seems all jihadis site administrators all went to the same school of dumbass. Just seeing this is a major red-flag to those who know what their game is. Another thing they are taught in dumbass class is under no circumstances shall a jihadi cyber warrior use anything other than a ripped-off copy the VBULLETIN forum software from pirate bay, by order of Allah himself. You’ll notice that in order to reach their actual content, all you have to do is add ‘/vb/’ to your URL as follows – ‘http://alfidaa.biz/vb‘ – voila!
Next red-flag (aside from the giant jihad flag top left) – you can’t register on this forum, you can’t join up and all the VBULLETIN features normally available to passers-by have been deactivated. All you can do is login. This tells us that this is a closed invite-only group and accounts are created manually by the administrators. What’s up with that, I wonder.
THEIR SECOND MISTAKE
While at first glance it seems without credentials to login here, an infidel could be scuttled. But as we know these fools attended the school of dumbassery, and seem blissfully unaware that while handy, login credentials are not always necessary. Especially if for example, they have a vulnerability in their code. Which as it happens – they do. Said vulnerability (i’m not going into specifics but it’s not rocket salad), which, when identified and properly exploited allows an infidel access to the backend MySQL database that powers the site. This includes but is not limited to their usernames, last IP address the user logged in from, password hashes, email addresses, and private messages. Eeek.
^^ THATS GONNA STING A BIT ^^
What you see above is a partial table of the site jihadi site administrators and moderators. These are the people actually running the whole sordid affair.
THEIR FATAL MISTAKE
Usernames can often be non-unique, and when if using them on an OSINT run, often yield tons of false-positives. It’s lucky we have their email address, these ARE unique and eradicate those same false positives. What’s even luckier is the class of dumbass obviously doesn’t have a section on OPSEC. Some of these do not look like one-time addresses. I’ll bet my last nerve some of these schween biscuits have used them elsewhere.
Lets have a look see. I’ll just pick one at random.
How about username ‘ömer’ – who registered both a Gmail and Hotmail email address. I’ll try the hotmail address as he registered it after the Gmail one. (Probably locked himself out of the Gmail). His last login was from the IP address 22.214.171.124 – this belongs to TurkTelecom out of Istanbul. The hotmail email address is associated with NINE social media accounts:
^^ CLICK TO ENLARGE ^^
Using the OSINT gathered, the subjects forename and surname, approximate age, associates, musical tastes (I shit you not Taylor Swift is up there in his faves, and I’m pretty sure she’s not Halal), mugshot, location, interests and hobbies and much more shit was uncovered. You can see where I’m going with this. I’m most widely known for knocking jihadi websites offline. This is a snapshot of the flip side. Constantly taking some targets offline, and leaving other targets alone, causes a ‘herding effect’. Think of it as funneling the bad guy into a smaller space, and smaller spaces are easier to watch.
I haven’t drilled down into the finer details in this post, as it’s not gonna help me, and could help them. Rest safe in the knowledge that this particular shitcan has been worked hard over a long period of time, all possible gains for the forces of good have long since run-dry. Hence this post. I think you get the picture, however I did do a post previously in 2012 about some of the tools I sometimes use.
There’s an unequal amount of good and bad in most things. The trick is to figure out the ratio and act accordingly.
PS – I guess these ‘cyber jihadis’ should stick to what they are good at. Namely this: