Journalist perpetrates online terror hoax

ComputerWorld ^ | Feb. 6, 2003 | Dan Verton

[JohnathanRGalt]

Journalist perpetrates online terror hoax

By DAN VERTON
ComputerWorld, FEBRUARY 06, 2003

Editor's note: An online story yesterday by Computerworld reporting on terrorist claims of responsibility for having authored the Slammer worm was based on a hoax. The security reporter who wrote the story, Dan Verton, explains in this first-person account how he and others were misled by a U.S. journalist who pretended to be someone named "Abu Mujahid." The original story has been removed from Computerworld's Web site.

There's an old Italian proverb that says, "Those who sleep with dogs will rise with fleas." That's the situation in which I now find myself.

While catching a few fleas isn't unusual in the murky, dog-eat-dog world of reporting on hackers and terrorists, this hoax is different. Had it been a simple scam, I might be embarrassed. But in this case, the scammer is Brian McWilliams, a former reporter for Newsbytes.com, which is now owned by The Washington Post Co.

For the past 11 months, McWilliams has operated a Web site, www.harkatulmujahideen.org, which once belonged to a real terrorist organization based in Pakistan. It was during legitimate research into pro-terrorist Web sites that I first came across the Harkat-ul-Mujahideen site and McWilliams.

In an elaborate scheme to dupe security companies and journalists, McWilliams acknowledged last night that he purchased the domain name last March and registered it under the name of "Abu-Mujahid of Karachi." He also left a legitimate mirror site in place on a server in Pakistan and by his own admission has been receiving e-mails from people looking to join the actual terrorist group. He then posed as Abu Mujahid in his communications with people and the news media.

McWilliams' hoax, which he described as an effort to surreptitiously obtain information that he might be able to turn into a good news story, came to my attention after I reported being contacted by Abu Mujahid. In a series of e-mails spanning several weeks, McWilliams, a.k.a. "Mujahid," claimed responsibility for the Slammer Internet worm late last month. Although my story noted that claims of responsibility for Slammer couldn't be verified, I, along with journalists in India, several computer security firms and even law enforcement experts, didn't see through McWilliams' hoax.

"I worked hard to make the illusion look real," he said in an e-mail to me last night, after the hoax had been exposed. McWilliams also expressed regret for having allowed the hoax to go so far. "But the Internet gives those who want to spread misinformation a big advantage. It's so easy to conceal ... the ownership of a domain."

McWilliams' efforts misled journalists in a foreign country now living with the real-world threat from a very real group, Harkat-ul-Mujahideen (HUM), a group linked not only to Osama bin Laden, but also to the abductors and murderers of Wall Street Journal reporter Daniel Pearl.

The Web site still in place in Pakistan, www.ummah.net.pk/harkat/, refers to a radical Islamic group on the State Department's list of designated terrorist groups. Once known as Harkat-ul-Ansar, the group changed its name to Harkat-ul-Mujahideen in an effort to avoid problems stemming from the U.S. terrorist designation. Contact information on that site goes to harkatulmujahideen.org, which is McWilliams' domain.

"I've been secretly receiving lots of interesting e-mails apparently intended for HUM," said McWilliams. "I was hoping I might get a story out of some of the stuff that came in to the site. Most of the messages have been from people in the Middle East who wanted to join jihad. I've forwarded some to the FBI."

As part of this scam, McWilliams contacted a journalist in India and then defaced his own phony Web site, posting one of my earlier e-mails as part of the defacement by a bogus hacker group. That "hacking" was one reason that at least one security vendor, Mi2g.com, initially considered the Web site to be genuine.

That authenticity unraveled late yesterday, after my story had been posted, when members of an e-mail list that focuses on security topics contacted Computerworld and informed me that McWilliams had been bragging about the success of his hoax and how simple it would have been to uncover. He did not, however, acknowledge then that he had registered the domain using a fictitious name. After the hoax was revealed, the story was removed from Computerworld's Web site. By then it had been picked up by other Web sites.

This isn't the first time McWilliams has relied on questionable reporting procedures to obtain information for a story, according to government intelligence and industry sources, who requested anonymity. These sources confirmed that in September 2001, at the height of the Nimda worm, McWilliams obtained the telephone number for conference calls held by the National Security Council, the National Security Agency and private companies, and listened in surreptitiously to the conversations. He then used the information from the conference calls in news reports he filed.

"Just as that group was hitting its stride, the trust relationship was fractured," said a source who took part in the conference calls. "Since we couldn't know which participant compromised the trust, [McWilliams'] efforts actually damaged the effectiveness of the defensive action."

McWilliams confirmed today that he did listen in to the conference call.

Although the hoax this week taught me a valuable lesson about the nature of information on the Internet, it's less clear that McWilliams' scheme has done anything to advance the understanding of cyberterrorism -- one of his stated reasons for conducting the hoax in the first place. The fact is that real terrorist organizations around the world do run Web sites. The Palestinian terrorist group Hamas is a prime example of a terrorist group on the Web. There are many others, including, until last March, Harkat-ul-Mujahideen.

This experience has been a particularly difficult one for me. I feel like I've been had, and that's never an easy thing to swallow. I got burned. So, I'm left here scratching fleas as the price you sometimes pay for sleeping with dogs.

[JohnathanRGalt]

mi2g was also taken in -- strange, the article has disappeared from the 'Latest News' at their website: http://www.mi2g.com/

Anti-Islamic group downs fundamentalist site

And exposes emails from the site

By Mike Magee: Wednesday 05 February 2003, 14:26

A SECURITY ORGANISATION reports that an anti-Islamic hacker group called 4nti-Muja has downed the web and email servers of Harkat-ul-Mujahideen (HuM).

Security firm mi2g said this is the first significant attempt at anti-Islamic cyberwar.

According to mi2g, HuM is linked to al-Qaeda and to terrorist attacks in Kashmir. Murdered Wall Street Journalist Daniel Pearl was investigating this organisation, it says.

The hacking message on the HuM site read: "You can change your name, but you cant hide from the 4nti-MUja. GWB and USA is comming for you. Can you say kaboom?”"

Apparently, some emails from and to HuM were also obtained, including an email from a Computerworld journalist to the organisation.

HuM claimed to have released the SQL Slammer virus that brought down the internet recently, something which Verton challenged and refuted in the exposed email.

The web site, www.harkatulmujahideen.org was down at the time of the alert, but is now back up again.

[JohnathanRGalt]

(Fake!) Jehadi website ping: (let me know if you want on or off)

[Libertarianize the GOP]

bump

[JohnathanRGalt]

hello...yeah, who's this? Who's THIS?

Brian McWilliams, a free-lance reporter for Security Focus and Wired News is the same guy who disparaged others as being "online vigilantes" and said that activists against the Islamist / terrorist websites are interfering with law enforcement.

5.  One Man's Info War on al-Qaida
02:00 AM Dec. 18, 2002 PT A white-collar worker from Minnesota hacks two sites that published messages extolling recent terrorist attacks linked to al-Qaida. But he may have unwittingly botched the FBI's ongoing surveillance operation. By Brian McWilliams

In this article, McWilliams claimed that the domain name of jehad.net had been hijacked (it had not).  Online-Haganah notes jehad.net, a vital part of al-Qaeda's internet activities, has been TOS'd (removed for Terms of Service violations) on Feb. 4, 2003.  Aaron Weisburd, who was interviewed for the above article feels that McWilliams used unconvetional reporting methods.  Aaron Weisburd responded:

"I'm still pissed that he even tried to bait me into speaking in support of criminal activity, and I have reason to believe that the 'hijacking' of the jehad.net domain name was another of Mr. McWilliams fabrications. Once someone admits to lying, the question becomes: 'so, when have you *ever* told the truth?'"

Latest rumor around the virtual water-cooler at Online-Haganah is that McWilliams is on the staff of JehadUnspun.

[Madame Dufarge]

Bump.

[Huggy]

Thanks for keeping me alerted and on your list!

[Huggy]

...and pardon the poorly worded sentence in my previous post.

[atc]

John, here's one from the good guys. This site has a lot of terrorism related info. Thought you might find it helpful.

http://www.pakistan-facts.com