Syrian Electronic Army takes over MarkMonitor; dog catches car

Facebook hijack attempt

On Wednesday, the well-known hacktivist group Syrian Electronic Army managed to get into MarkMonitor’s management portal. Once there, the group targeted Facebook: they used the management portal to alter Facebook’s WHOIS record, including Facebook’s registrant contacts, intending to hijack Facebook’s domain nameservers (as they had done earlier with both PayPal and eBay’s UK sites).

However, the hijack took “too much time,” and while they were able to take some screenshots of their process, they never got much farther than a prank. Facebook’s service was never disrupted, and shortly afterward, the SEA were kicked out of MarkMonitor’s management portal.

Here’s what should get people’s attention: these guys (maybe girls, too; let’s use “guys” as a unisex term) were in MarkMonitor’s management portalFor the rest of the evening, there was very little news about the incident, other than some limited reporting on the aborted attempt at hijacking Facebook’s domain. Facebook gets people’s attention.

So who is MarkMonitor? MarkMonitor does brand protection for pretty much everybody you’ve ever heard of. Sure, you trademark attorneys may just know them as that company that looks after trademarks on the internet, but they do more than that. They protect against things like fraud, spam, phishing, malware, and piracy. They monitor internet traffic to look for these sorts of things and collect data on the things they find. And, more importantly, through this activity, they hold the keys to how every brand that uses them is perceived — how every brand is trusted — by the rest of the world.

The MarkMonitor Portal is currently unavailable...

So MarkMonitor got popped, and they got popped deeply enough to give some random attackers full access to their management portal. Which means the attackers could have done anything they wanted to. They could have looked at, copied, or changed any data they wanted to. What they chose to do was make a lot of noise trying to hijack Facebook in a really obvious way, and MarkMonitor discovered the breach and kicked the attackers out.


So think about this for a minute: what if they’d been quieter? What if their attack had been much more subtle? And…how do we know that while they were annoying Facebook, they weren’t also doing something else?