IE 11 is not supported. For an optimal experience visit our site on another browser.

'ISIS Hackers' Almost Certainly Not ISIS Hackers

The hacking of dozens of websites worldwide by someone purporting to be connected to ISIS almost certainly has nothing to do with the terrorist group.
IMAGE: Credit Union screen shot
The home page of Southwest Montana Community Federal Credit Union was replaced with the ISIS standard. Authorities say no account information was compromised.KTVM TV

The hacking of dozens of websites worldwide by someone purporting to be connected to the ISIS terror group — including a Montana credit union, an Irish rape crisis center and a local Italian political party — almost certainly has nothing to do with the Islamist militants, law enforcement and security experts said Monday.

The FBI and the Royal Canadian Mounted Police said they are investigating the hacks, which placed a picture of the black ISIS flag and the words "hacked by ISIS, we are everywhere" at the top of the targets' homepages and invoked a Flash audio plugin playing a song in Arabic.

Gary Coons, chief of Indianapolis' Division of Homeland Security, told NBC station WTHR that his office was looking into the defacement of the Indianapolis Downtown Artist and Dealers Association. "We don't believe it was a direct threat," he said. "They defaced their website and put their propaganda on it."

Evan Kohlmann of Flashpoint Intelligence, a global security firm and NBC News consultant, said, "There are no indications that the individuals behind these latest hacks have any real connection to ISIS, and these defacements have taken place amid a spate of recent attacks where ordinary hackers have cynically used far-fetched references to ISIS as a means of attracting media attention."

At first glance, all of the affected sites appear to have nothing in common — they're hosted by different web hosting services and they're registered with different domain name services. But a look at the source code of all of the sites that had managed to get back up and running — only two appeared still to be down Monday — reveals that all of them are built on the WordPress blogging platform.

WordPress didn't respond to a request for comment Monday. But several of the affected sites, including the Dublin Rape Crisis Centre, said they'd been told the problem was with a WordPress "plugin" — a coding module that allows builders to customize their sites — and that WordPress had been providing updates to them directly.

There are more than 36,000 WordPress plugins in use, and WordPress itself says at least 200 of them are known to be vulnerable to outside attack.

WordPress is an open-source platform — meaning anyone can make themes and plugins for it, including fake or corrupted versions. Exploits are available on online forums for deployment by even the least sophisticated hackers, derogatorily known as "script kiddies."