SEA is, as far as is known, purely a hacktivist group. Its purpose is to raise awareness of what it believes to be unjust reporting on the Syrian conflict. When it breached parts of Microsoft last month it said it was because Microsoft was handing data about SEA to US intelligence agencies. When it attacked Paypal (UK) over the weekend it claimed it was because Paypal refused service in Syria.
In a series of tweets on Saturday it said, "For denying Syrian citizens the ability to purchase online products, Paypal was hacked by the #SEA. Rest assured, this was purely a hacktivist operation, no user accounts or data were touched. If your Paypal account is down for a few minutes, think about Syrians who were denied online payments for more than 3 years."
An attached screenshot indicated that the breach was via Paypal's domain registrar, MarkMonitor. By taking control of Paypal's account, SEA was able to redirect visitors to a site of its own choosing. Late last year, PandaLabs warned, "DNS cache poisoning attacks have been on the rise and may become one of the prevalent trends for the next few months."
SEA's latest exploit, announced yesterday, seems to have failed. "Happy Birthday Mark! http://Facebook.com owned by #SEA." It appears that while this was strictly true, briefly, it had no effect on Facebook users. It was again a DNS poisoning attack, again through Facebook's registrar, which was again MarkMonitor.
It seems that, already on high alert after the Paypal attack, MarkMonitor reacted fast enough to prevent any serious damage. It immediately took down its management portal and regained control over the accounts. "We changed the nameservers, but it's taking too much time..." confirmed SEA on Twitter. Why it took so long is not clear, but seems to imply that MarkMonitor has additional security in this area. Exactly what that security might be is unknown because Markmonitor has a strict policy of not commenting on its clients (which SEA screenshots indicate also include Google, Yahoo and Amazon).
Although SEA has tweeted no motivation for the attack on Facebook, The Hacker News has offered one possible explanation: "Journalists and activists involved in the Syrian revolution said that the deletion of Syrian opposition pages by Facebook removes important data and context about the revolution there, including some crucial information about chemical weapon attacks last year." SEA might feel that pro-Assad information was being removed in the process.
In this instance SEA failed to have any serious effect – but the fact remains that its primary weapon of spear-phishing in order to acquire account credentials is as successful today as it was over a year ago. The biggest security concern is that while SEA is fundamentally a hacktivist organization, the same technique could be used by criminals after personal information.
Even before the Facebook incident, but following those with Microsoft and Ebay/Paypal, Ars Technica warned yesterday, "the employees of these companies are presumably some of the most savvy and well-trained in the world at spotting social-engineering ploys. If they're being hoodwinked by phishing attacks and other plain-vanilla social engineering campaigns, what hope is there for the rest of us?"