Who Hacked Mahamevnawa? Who Are The Algerian DZ Hackers? All Explained

If you don’t know already, the popular Buddhist website Mahamevnawa (Mahamevnawa.lk) was hacked and defaced by a group of Algerian Hackers calling themselves H4ck Dz Team. You can read the gossip9 article about the hack here (unfortunately I couldn’t find an English version of the news)

Because, this is an attack against an innocent but popular website in Sri Lanka we decided to look in to it to see who these people are. If you don’t know who these people are just Google the term “H4ck Dz Team”and you will see the hacks and the defacements they’ve done in the past.

So I’m going to tell you what I found,

I went through the comments of the Gossip9 article, on the comments someone has found and posted a link to “H4ck Dz Team” hackers’ Facebook page : https://www.facebook.com/H4ck.Dz.Team

Then looking at the search results of the “H4ck Dz Team” and going through the defacements you can see that he used to call himself “nO lov3″ as well as “H4ck Dz Team”. And in some of the defacements there is an email address for contacting “H4ck Dz Team” : nolove49@gmail.com.

If you look at Facebook the email address nolove49@gmail.com is used to register a Facebook profile : https://www.facebook.com/soufain.dz.

But obviously this can’t be a real profile. So I looked on and found some few things which I won’t say what right now, but then I came to a dead end.

So I showed what I found to my good friend which I call him “V”, and he somehow found and gave me the website of H4ck Dz Team” : http://dz-team.biz.

DZ-Team.biz is a hacking forum that is being run by H4ck Dz Team“, looking at the whois info of dz-tam.biz won’t give that much info. But if you reverse ip the dz-team.biz you can see that only 7 websites are hosted on the ip that has dz-team.biz : http://www.ewhois.com/dz-team.biz/

They are,

dz-team.biz
al-daa.com
dz-mafia.net
atddz.com
rahahbb.com
mahdiadz.com
2algeria.org

dz-team.biz and dz-mafia.net belongs to the H4ck Dz Team Hackers. But because so little amount of websites are hosted at this IP and all of these websites being Algerian there is a stong possibility that all these websites are hosted under the same account.

Now, because the hackers that we are looking for are Algerian I first checked the 2algeria.org website. The website uses Adsense and Google Analytics. The same Google Analytics ID and Adsence ID is being used on 3 websites. Which means the 3 websites use the same Google account for Google Analytics and Google Adsence.

There can be more websites using the same Google Analytics and Google Adsence ID.

The Google Analytics ID is : UA-3582164
The Google Adsence ID is : pub-7586127814300842

The 3 websites using the same Analytics and Adsence IDs are :

2algeria.com
2algeria.org
DZWORLD.INFO

The same person who owns the DZWORLD.INFO also owns DZWORLD.NET and DZWORLD.ORG. So many DZs repeating over and over again and belonging to the same person, is this a coincidence?

Because DZWORLD.INFO and 2Algeria.org uses same Google account for Analytics, they should belong to the same person although their whois information are different.

So if you look at the 2Algeria.org who is info it looks like this,

So khadir ben youcef owns DZWORLD.ORG, DZWORLD.NET and DZWORLD.INFO. If you look at the websites that are hosted at the ip of dz-team.biz all the websites other than dz-team.biz and dz-mafia.net are registered under the same name khadir ben youcef or has some connection to that name.

Looking at the email you will find so many domains registered under the name and the email : khadir ben youcef ,khadir_khadda@hotmail.com.

I found nearly 20 domains registered under the same name and email, there can be more.

The email : khadir_khadda@hotmail.com is used to register the https://www.facebook.com/benyoucef.khadir

Googling khadir ben youcef you will find this Facebook profile : https://www.facebook.com/khadda

The email khadir_khadda@hotmail.com, which is used to register all the domains appear in his contact information of that Facebook profile (https://www.facebook.com/khadda) , and khadir ben youcef also lives in Algeria the same country where DZ Hackers are from.

Looking at the LinkedIn profile of khadir ben youcef you can see that his occupation is Information Technology and Services so he has the technical knowledge to do such hacking.

So looking at all these things we can come to a conclusion that khadir ben youcef is Hack DZ team member of n0 l0ve hacker, and according to @ipv10, this https://www.facebook.com/khadda is also a fake profile and the real people behind it are the so called “brothers” of the https://www.facebook.com/khadda Facebook profile, which is also a possibility because there are no photos of that person in real life.

So the final conclusion

So the final conclusion is that H4ck Dz Team consist of,

Ben Youcef Khadir aka khadir ben youcef

Facebook : https://www.facebook.com/khadda
Twitter : @dzworld
Gmail : khadirbenyoucef@gmail.com
Skype : khadir_khadda
Live mail : khadir_khadda@hotmail.com

Yakoub Khadir

 

 

 

 

 

 

 

 

Facebook : https://www.facebook.com/yakoub.khadir
Google Plus : https://plus.google.com/104249732338023001842/about

On his Facebook profile and Google + profile he lists 2algeria.org as his website. Which is registered under the name of khadir ben youcef.

Khadir Kamel

 

 

 

 

 

 

Facebook : https://www.facebook.com/CaPiTaiNeDz
Twitter : twitter.com/CaPiTaiNeDz

In his Facebook profile cover picture says his website is dziso.com,  that website too is registered under the name of Ben Youcef Khadir aka khadir ben youcef.

 

 

 

 

 

 

 

 

And also in his Facebook profile it says that his email is khadirdz@gmail.com however the Facebook profile that is registered under that email is a female profile called “Jojo Imily” (https://www.facebook.com/profile.php?id=100002768720690)

I think nearly 100 domain names (both active and inactive) are shared between these 3 and registered under different email address. A typical thing for hackers who use stolen credit card information to register domains on the internet.

Some of the emails that they’ve used to register domain names include,

elchoroukhost.net@gmail.com
cyberbellia@gmail.com
algerie@hotmail.com.tr

Things To Be Expected On Facebook.

Facebook is in a period of change where, where they are going to add new features and the highly expected app center.

Today when I logged in to Facebook, I found this unusual icon in the side bar called “Connection Search”, it’s actually a way of finding friends like “Contact search”, so when I clicked on the Connection search icon this page appeared. Click to see the large image.

Facebook connection search, a thing to expect?

So is this a something to expect on Facebook? I asked some of my friends and no one has ever seen something called “Connection Search” before.Sadly the feature is still not available for me.

The other interesting thing here is the Tweet button. I think this is the first time, we’ve seen an actual Tweet button on a main Facebook page.

Facebook is also about to roll something new features called “Trending Videos”, where they are going to put popular public videos on Facebook. Just like what’s hot on Google Plus.

I’ll put a screen cap, when I see “Trending Videos” on my timeline.

The Facebook App Center will look like this :

Facebook AppCenter

#SMDayCMB The Hashtag That Made Me Lugh Hard.

If you don’t know (like I didn’t know until 5 P.M yesterday, when a friend of mine asked me whether I was at the Mashable Social Media Day), there was something called Mashable Social Media Day at Excel World, Colombo. I don’t know what happened, whatever happened I guess it’s about social media.

And the hash tag for the event was #SMDayCMB, and when I logged into Twitter at 11 PM and checked some of the tweets, they were like this :

And I was thinking this,

If you don’t know Twitter started rolling a feature called Tailored Tweets, where trends are made according to your location, the websites you frequently visit and the tweets you make.

And it didn’t appear tonight, it was rolled 2 3 weeks back by Twitter.

There are no such thing as word wide trends, you can get the world-wide trends if you opt out from tailored trends.

I think the best thing for all the people to do is to know more about what’s happening in social media, rather than “troll” in for a social media day. Thanks for making us (me and @ivp10) laugh hard. I’m so rude.

PS : At least please read More Mashable, before going to their events.

How Facebook Likejacking Can Be Used To Trigger Malicious Scripts.

Facebook Like Jacking is another method of click jacking, where a user clicks a hidden like button that will share a link with the user’s friends without the user’s knowledge.

Although Facebook has reduced the Like jacking incidents, recently there was rise of likejacking scams.Therefor I decided to write a post explaining the mechanisms how these likejacking scams work. I’ve written a post about the malicious Facebook browser extensions that can be found in my old blog.

I’m not going to talk about what is clickjacking and likejacking, I’m going to show the mechanism of how likejacking works and how it can be used to trigger a malicious script once the Like button is clicked.

So a typical clickjacking scam page are most of the time designed to looks like YouTube, Facebook page or video frame to trick the user in thinking it’s a legitimate website, well it can come in any form. The bottom line is the website is designed to trick the users.

So I went to the clickjacking website that’s there in the Naked Security blogpost, and saved it’s code. You can find the HTML code of the website here : http://nopaste.me/paste/14304159654fdd8bd82d01c

Basically it’s a simple website that’s made to look like a video frame, it’s a pretty simple HTML code with some javascripts. If you start looking from the code from the top, the first thing you should see is the meta tags.


<meta property="og:title" content="[VIDEO] Snake Eats MAN!"/>
<meta property="og:site_name" content="[VIDEO] Snake Eats MAN" />
<meta property="og:image" content="http://s15.postimage.org/5ybac4awr/snake_eats_man.jpg" />
<meta property="og:description" content="CAUGHT ON TAPE- A Giant Snake Swallows Up A Zookeeper in Front of Hundreds of People!" />
<meta property="og:type" content="website" />
<meta property="fb:admins" content="38305883" />

These meta tags allow a malicsious attacker to change the picture, title, message of the post that’s being posted on the Facebook time line irrespective of the contents of the website.

Then comes the Like button code, it’s a bit different in this webpage. Usually it’s the same Like button code. Click to see the large image.

However there is a small modification to this code, the like button is hidden with the small CSS trick, so the user won’t know that he’s clicking a like button.


div.transbox
  {
  opacity:0;
  filter:alpha(opacity=0); /* For IE8 and earlier */
  }

So the hidden Like button iframe code will look like this, click to see the large image.

In this website, it’s used like this, click to see the large image.

With the help of some more CSS trick the hidden Like button can be placed near a fake play button image, so that when the play button is clicked, the user will click the hidden Like button and without knowing the user will share the post in his timeline.

Up to here it’s pretty much simple stuff, however there is a small function called “FB.Event.subscribe” let’s a malicious user to trigger an event can be used to trigger a malicious script once the like button is clicked. Most scammers use this to load a survey that will give scammers money. However, this can also be used to trigger a malicious javascript once the Like button is clicked, even if the Like  button is not hidden.

In the following likejacking scam it’s used like this,

<script charset="utf-8" type="text/javascript">
FB.Event.subscribe('edge.create', function(response) {
        window.location = window.money_page;
});
</script>

However, a malicious attacker can modify the script to look like this, this will load a malicious javascript once the like button is clicked. So the victim will not suspect.

<script charset="utf-8" type="text/javascript">
FB.Event.subscribe('edge.create', function(response) {
 //EVIL SCRIPT HERE
 //REDIRECT PAGE
 //MALWARE DOWNLOAD
});
</script>

Why People Need To Stay Away From Cyber-Vigilantes.

Yesterday I came across this post “We don’t need cyber-vigilante justice“, which is must read for people who want to become hackers or cyber-vigilantes and why people shouldn’t be like that. Being a cyber vigilante to show that you are a l33t hacker is one not good idea, but joining and making partnerships with equally not a food idea.

One way or another, all these cyber vigilantes are criminals, just like our ordinary day-to-day criminals but these people live online. However the unfortunate thing is these vigilantes gather followers, and these followers try to make their own way towards e-fame either by hacking of helping these vigilantes of their work. I guess it’s not like a gang but like a cult.

Anonymous has their own set of followers, LulzSec had their own followers, Jester has his own set of loyal fans. May be these vigilantes like this e-fame, anyway most of these followers are ordinary hackers or, just another scrip kiddies. When they follow these vigilantes and try to show they are also l33t, the end result is them making more havoc by hacking  websites, disrupting services and posting personal information on the internet and in the end getting caught.

If you look at Anonymous, they grew up to a point where Anonymous became a cancer to the internet, some of these Anonymous were elite hackers hacking big websites. Anonymous became famous and later Anonymous gathered followers that were no more than script kiddies that started hacking, defacing every small website that comes in their way.

Finally what happened is that most of the top members of the Anonymous got arrested and, most of the followers inevitably got arrested or either got their personal information exposed or posted on the internet. Even we had our own AnonymousLK and we had the utmost pleasure of exposing them.

It’s not just Anonymous and LulzSec, even people who are supporting the so-called “patriotic” hacker Jester has also suffered when their personal information published on the internet, and recently the websites that Jester supports like the Wounded Warrior Project was also brought down, and personal information of LeRes was published online by the UGNazi hackers who are against Jester.

The best thing is not to take sides, not to support people like Anonymous, and people like Jester who is “hacktivist for good”. There is no such thing as hacktivist for good. It’s illegal and there is no difference between Anonymous type hackers. Helping cyber vigilantes is same as helping everyday crooks, you never know when you’ll get in to trouble thanks to them.

So people need to think twice about becoming online vigilantes or taking their sides. Not only the people who are being targeted by the vigilantes are affected, but also people who take sides are also affected in the cat fights between hacktivists. Stay safe.

“The law of celestial mechanics dictate that when two objects collide there is always damage of a collateral nature”

AnonymousLK, Case Closed?

If you were reading the series of posts about AnonymousLK, we said that AnonymousLK is comprised of 4 hackers.

However we never posted any info about TX and Zer0 Thunder, therefore I think it’s good to add a short note about why we never posted information about these two.

After making the posts about HackerzMafia and ZonTa, @ipv10 went on to the IRC channel of AnonymousLK few weeks ago (irc.evilzone.org #srilankanz), where she talked with TX who once threatened us commenting on this blog.

By that time we’ve found almost all the information about TX and Zer0 Thunder and it was about whether we should post them or not. @ipv10 told TX what we’ve found about him and he admitted that it is him and he kindly asked not to post about him.

Because he was kind enough to admit his identity and told about his story and given us references to confirm his identity we decided not to post about him.

Same can be said about Zer0 Thunder, although he wasn’t ready to accept his identity. Finding Zer0 Thunder was the best part, it was hard to find loose ends. until we found out that we can get an email from hackimpact.com the website that Sameera (HackerzMafia) and Shalika (ZonTa) and Zer0 Thunder created, the email has the name of Zer0 Thunder in it.

Any one can get this email address by registering at hackimpact.com which is now hidden from the website and from Google by robot.txt.

UPDATE :

I just found this status from AnonymousLK today. The image shows them say that they have set up their IRC channel at irc.evilzone.org at #srilankanz.

If you look at the date you can see that the Tweet was made in August 22, 2011. And if you look at the date that AnonymousLK joined Twitter it’s August 19, 2011. So this further proves us right that the IRC channel was indeed used by AnonymousLK from the beginning.

We expected you, nothing happened.

The End?

What LinkedIn, Last Fm, eHarmony Hacking Tell Us.

If you are following what’s happening on the internet recently you might have seen that LinkedIn, Last Fm, and online dating website eHarmony were hacked and millions of passwords were posted online.

Last Fm Hack : nakedsecurity.sophos.com/2012/06/07/last-fm-password

LinkedIn Hack : nakedsecurity.sophos.com/2012/06/06/millions-of-linkedin-passwords-reportedly-leaked-take-action-now

eHarmony Hack : nakedsecurity.sophos.com/2012/06/07/eharmony-passwords-stolen

I’m not going to talk about the hacking incidents, you can get all the information you need from the above links. I’m going to talk more about what we should learn from that.

These events post questions about the security of the websites where people give their personal information, pictures and messages. People really need to think twice before giving all of their personal information to websites, posting their pictures online etc. Because, as these hacking incidents show even the best of the websites are vulnerable and you can’t be 100% sure that your information will be secure forever.

Some might argue that the cloud is more secure than having data on your computer, however if you keep your systems up to date, and your data encrypted I think your computer is pretty safer than the cloud, even the most secure method of two factor authentication was bypassed because of a security flaw in Google to gain access to the emails of CloudFlare CEO and gaining access to CloudFlare user data and changing the DNS information of 4Chan.

If you look at the passwords of LinkedIn, (not sure about the passwords of Last Fm and eHarmony) you can see how insecure the biggest websites on the internet can be.

If you look at LinkedIn, the passwords they stored were not salted. Salting is adding a random string to the password before it’s being hashed, so even the same password will have a different hash due to the random string. As a result of LinkedIn not salting their passwords 60% of passwords that were released online were cracked within 24 hours.

So if you have a website that stores passwords it’s a must to salt the passwords before hashing and use a strong hashing method like SHA-1 because MD-5 is now considered to be outdated.

If you are a LinkedIn, Last Fm or an eHarmony user :

  • You need to change your passwords quickly
  • If you are using the same password for other accounts you need to change them too.
  • Make sure you use two factor authentication if it is available. Two factor authentication is available on Facebook, Google etc.