@Th3j35t3r earlier today replaced his old Twitter profile pic with a new picture. It was a QR-Code seen in the image below, this led to a known smartphone exploit.
“It was a highly targeted and precise attack, against known bad guys, randoms were left totally unscathed,”
Those who scanned the QR-Code on any Android or iPhone mobile device were automatically pointed to a site that revealed The Jester’s frequently used avatar and the content “BOO!”.
Here is the content of the “BOO” webpage:
The Jester explains in his blog,
Those who scanned the QR-Code were then cross-referenced on Jester’s database of recognized targets, and those targets were later on pwned, getting their address books, texts and emails deleted. The Jester explains,
I also had a list of ‘targets’ – twitter usernames I was interested in, these were comprised of usernames of:
- Islamic Extremists
- Al Qaeda Supporters
- Anonymous Members
- Lulz/Antisec Members
and his statistics,
In all this ‘curiosity pwned the cat’ sting went on for 5 days un-noticed.
Here’s some facts and figures on how it went:
- Over 1200 curious netizens scanned the QR-Code.
- ^ Of those over 500 devices reverse shelled back to the listening server.
- ^^ Of those, a significant number were on the ‘shit-list’ and as such treated as valid targets.