TECH
02/20/2013 02:14 pm ET | Updated Feb 20, 2013

Hackers Who Attacked Twitter, Facebook, Apple May Have 'Hundreds' More Victims

The hackers who attacked Twitter, Facebook and Apple employees likely claimed many more victims, an expert said Wednesday.

But exactly how many remains unknown. One security expert told The Huffington Post that "hundreds" of tech start-ups may have been compromised, but have not come forward for fear of negative publicity.

Apple said Tuesday its employees' computers were hacked. The disclosure came days after Facebook and Twitter also publicly acknowledged they were hacked in a similar attack that spread when employees visited an infected website popular among iPhone app developers. All three companies said no user data was taken.

The website that caused the hacks was identified as iPhoneDevSDK.

In an interview Wednesday, the website's owner, Ian Sefferman, said he was never contacted by Facebook or investigators looking into the attacks and only learned the site hosted malicious software, known as malware, when he was notified Tuesday by a reporter at the tech blog AllThingsD.

Sefferman said multiple other sites on the Internet also hosted the malware, though he did not provide details on which sites.

"Multiple sites have this malware," he told The Huffington Post. "We were just one of them."

He said his website was targeted by hackers who gained access to an administrator's account, then injected malicious software into the site's code that would infect site visitors. He said his site is targeted by hackers "frequently."

His site, which has about 200,000 registered users, is "the most widely read dedicated iOS developer forum," he said. Most visitors are software developers who discuss technical issues around building apps for the iPhone and iPad.

Not everyone who visited his site was hacked. His own computer, for example, was not infected, he said.

Sefferman said the hacker appeared to remove the malware from the site on Jan. 30. But on Wednesday, the site had not been taken down and experts warned users not to visit it because it may still infect their computers.

Sean Sullivan, a security adviser at Finland-based security firm F-Secure, estimated that "hundreds" of app developers at tech start-ups have been compromised by the attack but haven’t come forward publicly because their employers can't afford the negative publicity. A person briefed on the investigation also told Reuters Tuesday that hundreds of companies, including defense contractors, were infected with the same malware that hacked Apple and Facebook employees.

Some may not even know they are victims. Facebook Chief Security Officer Joe Sullivan told the blog Ars Technica last week that some companies were unaware they had been hacked before being notified by Facebook.

Sean Sullivan said that software developers are the "new low-hanging fruit" for hackers because they have access to tech companies' source code, which can be used to write new malware, known as "zero days," for future attacks.

The hackers behind the attacks appeared to be from Eastern Europe or Russia, and were trying to hack developers to steal company secrets and sell them on the underground market, according to Bloomberg.

"There's a very big, dark market for vulnerabilities and getting source code," Sean Sullivan told The Huffington Post. "If you can get the source code, that’s the mother lode."

Apple and Facebook employees were victims of what security experts call a “watering hole” attack because they were lured to the source of the malware like animals stopping for a drink of water. In essence, the hackers created a booby-trapped website that downloaded malware on their computers when they visited the site, creating a "backdoor" into a company's computer network.

Investigators were still trying to determine what the hackers did once they got inside.

"The backdoor gave them access, but it's what they did with that access that is the question," a person familiar with the investigation told The Huffington Post.

Such an attack is different than targeting employees at specific companies, and tricking them into clicking a bad link or email attachment to gain a foothold into their corporate network. That method, known as "spear phishing," is commonly employed by Chinese hackers looking to steal intellectual property, experts say.

In the Apple, Twitter and Facebook attacks, the hackers knew they would ensnare software developers, but could not have known which companies would be compromised in advance.

Sullivan, of F-Secure, wondered how many others were also hacked.

"Just how many other mobile application developers took a drink from the watering hole that nailed Twitter & Facebook?" he wrote on the company's blog.

CONVERSATIONS