The Syrian Electronic Army (SEA) operates with at least tacit support of the government. In the last weeks it targets Facebook and Youtube accounts of Syrian activists to get the login credentials and infect the computers with malware.
- May 2011 a man-in-the-middle attack against the HTTPS version of the Facebook site was launched with support of most syrian ISPs. It seems, the Syrian Telecom Ministry was involved too.
- February 2012 CNNtech reported the deployment of computer viruses like Backdoor.Breut against Syrian opposition activists
- 3 waves of attacks were reported by EFF.org in March 2012. At first a PDF document was delivered via Skype message from a known friend. It installed a remote administration tool called DarkComet RAT, which can capture webcam activity, disable the notification setting for certain antivirus programs, record key strokes, steal passwords, and more.
- Afterwards links to a fake YouTube page were distributed by email and chats. Visitors were attacked in two ways: it requires to enter YouTube login credentials in order to leave comments, and it installs malware disguised as an Adobe Flash Player update.
- During the third attack in March 2001 phishing links were spread in pro-revolution forums on Facebook to get Facebook login credentials of activists.
- April 2012 the Facebook security application FacebookWebBrowser.exe was promoted for Syrian activist in Facebook comments. The FacebookWebBrowser.exe is a malicious application which logs keystrokes and steals login credentials for email accounts, YouTube, Facebook, Skype, and others.
- Since a few days a Skype Encryption Tool is promoted for Syrian activist. The application does not encrypt anything. Instead of encrypting Skype traffic, the application downloads malware.
In may cases compromised accounts were used for malware distribution and people may think, the message is comming from a friend.
Attacks on facebook accounts are not a new idea by Syrian Electronic Army. The Agence Tunisienne d'Internet (ATI) used Javascript Injection to get login credentials of Facebook accounts a year ago. But this intensity of attacks is new in cyberwar.
