Hackers targeting the Islamic State are witnessing a chilling trend on the rise: recruiters preying on young teen American, non-Muslim girls to convince them to be ISIS sex slaves or to conduct attacks at home.
In a lengthy conversation with PJM today, BinarySec operatives described these girls reaching out to members of the group of Anonymous hacktivists and security analysts through Twitter when they’ve realized they’re in too deep and their lives are in danger.
It’s on the social media platform that these recruiters, with accounts cloaked in innocent avatars of babies or kitten photos, are finding their targets and moving in.
“The most disturbing thing, other than the usual gore videos, is the targeting of young teen girls,” said a BinarySec operative who goes by the name AnonyMissy. “The number of 13- to 15-year-old American non-Muslim girls being targeted for recruitment has definitely gone way up.”
“I used to have one girl every three weeks or so contact me in a panic when she realizes she’s in over her head; now it is every week,” she added. “They seek out the lonely. Invite them to Skype chat. The recruiters are men and women.”
The founder and main coder of BinarySec, who goes by the name Binary, seconded that ISIS is targeting young teen girls to “recruit them for whatever they can do.”
“I’ve seen them recruited to launch attacks on U.S. soil, I’ve seen them recruited for marriage purposes, and even sex slave purposes,” Binary said. “ISIS members when targeting out a female seek the lonely. They start by sending them little cutesy type of stuff, like messages.”
The recruiters use what is known as “sock” accounts on Twitter. “They tend not to tweet anything out ISIS-related. They look almost normal,” Binary said. When they use an image of a baby as their profile photo, it’s almost always white. “I think they may think it helps them blend in. But it really sticks out like a sore thumb.”
Binary added that the group has “intel to believe there are recruiters on U.S. soil,” though they’re “mostly overseas.”
AnonyMissy noted that “it is very subtle” by recruiters “in the beginning — just being friends, chatting with the lonely gals.”
“Depends on the girl, by the time she realizes after a month or so that she has been brought into an ISIS group, she’s been befriended by women and bonds of trust have been built,” she said. “She has isolated herself from ‘infidel’ friends and family. Lonely teen girls seeking acceptance, they are easy targets.”
“Once they realize it’s real, and in exchange for all of that attention they need to travel or steal — or worse — they end up in my [Twitter direct message] asking for advice.”
Binary said they’ve seen American girls make it to the travel planning stage, with ISIS concurrently trying to convert the girl and bring her into the fold with a gang mentality of having a family, a place to belong. If a girl tries to back out of the new relationship, it can mean trouble. “The ISIS members start making threats, even death threats.”
Asked if girls had revealed details to the hackers about what ISIS recruiters had demanded they do, Binary replied, “Very much so.”
“I’ve had a girl who told me they asked her to blow up a major place in her town, which I won’t specify for her safety. And they even forwarded her bomb instructions.”
AnonyMissy noted that “by the time these girls realize they are in trouble, the jihadis have all of their info.”
“I’m usually contacted after they cannot get rid of the recruiters,” she added. “I would be very interested to see how many missing or ‘runaway’ teen girls were chatting, knowingly or not, with ISIS recruiters before they disappeared. And does anyone even know to look?”
“…I’ve mostly been told about them being taught to steal to get money to travel. Beyond that, because they are children, I put them in touch with law enforcement to protect them.”
BinarySec operatives devoted to the #OpISIS mission are divided into those gathering intel and the “weaponry” section.
“The intel’s job is to scour any possible ISIS websites, determine if they are ISIS-related or Islamic extremist-related and maintain a target list for weaponry. When this is done, our weaponry division starts scouring websites for vulnerabilities. If none are found then we flood the website with traffic and tell the host to take it down,” Binary said.
“We will always go to the company and usually they are pretty good about removing it. However, there are a handful of companies who refuse to remove it. So we just continuously [denial-of-service attack] the website until they do.”
Of those who refuse to take terrorist propaganda and communications down: “Some are U.S companies. Some are foreign. It’s a mixture of both.”
A BinarySec operative going by the name Zombie Ghost said the group does “work through official channels where we can.”
“We have actually developed some good working relationships with some web hosts and they will take down material we identify quickly. There are other content delivery services like [U.S. company] CloudFlare who have made public statements they will not remove ISIS materials and in these cases we have to look at alternative methods,” Zombie Ghost said.
Those without a drop of hacking skills are helping in the #OpISIS effort by reporting jihadist accounts or materials spotted online. Hacktivist groups involved in the fight each take reports via website forms or Twitter messages.
“We depend heavily on the non-hacker community to assist us with removing Twitter accounts, especially. We can’t be everywhere, and this is a volume issue. Through our bot @tool_binary anyone can look through ISIS accounts and report the ISIS materials to have them removed; they don’t have to be technically inclined,” Zombie Ghost said. “Most hosts don’t really review the material they host. They depend on people reporting the ISIS sites to them and the responsible ones will remove it.”
AnonyMissy called the latest Twitter update “a great hindrance to having accounts removed.”
“ISIS run block lists and import them up to new accounts. Prior to this update, even blocked, we could still see and report the accounts; now the accounts have no reporting option available if you are blocked,” she said. “Obviously, the accounts that are blocking #OpISIS are typically more active than accounts that are not.”
Once suspended or hacked, ISIS users come back with a slightly different Twitter handle — adding a number at the end of their old name, for example.
A BinarySec operative named Kalypso, who is helming the group’s effort to scour sites for potential threats against the ongoing Euro 2016 soccer tournament, noted that “taking accounts down helps disable their recruiting — if they are always on the run, they are harder to find.”
Binary said that as “terrorist content is slowly being snuffed out thanks to the combined efforts of hackers and regular web users alike,” terrorists “have been retreating more to the dark web in hopes to do their recruiting there.” That difficult-to-access content “tends to be a lot of gore.”
AnonyMissy, who monitors English- and Arabic-language accounts, said that at any given time “you can find 30,000 active ISIS accounts on Twitter.”
“I would say the real problem accounts, not just fanboys, are probably 1,000 in my experience,” she said. “Twitter is very hit-or-miss on account removal, and do not remove accounts without people reporting them. There is always a nice surge in account suspensions when the media brings it up, or there is a tragedy like Orlando.”
The innocuous-looking recruiter accounts preying on teen girls are “extremely” prevalent, she noted.
The hackers have also flushed out Islamic media websites doing ISIS’ propaganda bidding. Rebirth, who works website intelligence for BinarySec, highlighted dawaalhaq.com — a site based in Jeddah, Saudi Arabia, that states on its banner in English, “Independent service not related with any group or organization.” But its content is ripped straight from ISIS videos and daily reports.
“So basically our research concludes that this is a jihadi news outlet with particular interest in the Palestinian territories,” Rebirth said. “Or, for example, al-fajrtaqni.net — that is an exclusive media wing and helps ISIS and al-Qaeda stay encrypted with their software.”
Zombie Ghost said last year the group “uncovered information about an ISIS recruiter meeting up with recruits, male Pakistanis, at a dam in Pakistan. We knew their location, route and schedule to take these recruits to an ISIS training camp on the Afghan/Pakistan border — we passed all this information along to Pakistani authorities real time.”
“We do pass along information to the authorities if we have specific threat information. And have worked with authorities worldwide.”
On current threat streams, the hackers are seeing “general threats” related to Ramadan in addition to Euro 2016 chatter.
“The way I collect intel is by using ISIS accounts on Twitter that I’ve hacked,” Binary said. “They will send occasional DMs or tweets saying things vaguely referencing the Euro 2016. And coming from ISIS accounts that is usually never good.”
Rebirth said ISIS has been “being very vocal about Euro 2016 and other locations… and how vocal ISIS has been, it could either result in a nightmare or could be an empty threat — but we always take these threats seriously.”
Of course, ISIS’ “cyber caliphate” division tries to hack BinarySec and its members “almost daily” in response to the #OpISIS offensive.
“All attempts have ended in a failure as usual. I do security for a living. Our websites are pretty much untouchable that way,” Binary said. “The cyber caliphate uses Kali Linux with built-in pentesting tools to exploit. They are horrible and probably couldn’t even exploit a xss vulnerability.”
“We do this job for people all over the world. For the people who witnessed this violence firsthand. For the people who fear for their lives. We do this so those people don’t have to worry any longer about these terrorists and their threats. We do this to show that even in dark times, there is a light that will guide you through it.”
Zombie Ghost said “it’s difficult after something like Orlando for those of us who have been doing this for a while, especially when you read all of the articles about how he was radicalized online.”
“But I think we have helped a lot of people and we’ll continue working to eliminate the threats of online recruiting and radicalization, until we don’t have to anymore.”
AnonyMissy wanted to make sure that teens courted by ISIS know that her Twitter DM — @MissyGH — “is open to anyone” who needs help.
“I think it’s a lot more prevalent than anyone suspects… That’s all I care about.”