Patriot Hacker The Jester's Libyan Psyops Campaign

Tuesday, March 29, 2011

Anthony M. Freed


It appears as if the patriot hacker known as The Jester (th3j35t3r) may have embarked on his own psyops campaign aimed at breaking the spirit of the troops loyal to Libyan strongman Muammar Gaddafi.

On Thursday, March 28, The Jester tweeted three "" links to articles reporting that Gaddafi's troops were suffering from low morale and are deserting their posts.

Two of the links take readers to what appear to be articles in the The Tripoli Post, and the third link leads to what appears to be an article in The Malta Independent Online. Here is a screenshot of The Jester's Tweets (click to enlarge):

Jester Twitter Page - Tripoli Psy Op

Having followed The Jester's activities for more than a year now, these three tweets struck me as being out of the ordinary.

Aside from his recent effort to keep multiple websites of the controversial Westboro Baptist Church down and the attacks on the WikiLeaks website late last year, The Jester mainly sticks to intermittent attacks against various militant-jihadi websites.

For the most part, The Jester keeps his Twitter messaging simple and mission-specific, usually limiting them to announcements that he has targeted a pro-jihadi website with his XerXeS denial of service tool.

Occasionally The Jester will issue a tweet in response to the constant barrage of heckling he receives from a litany of detractors, and sometimes he will post a message to warn his equally fervent followers to be wary of the multiple "Jester" imposters that have popped up over the last year.

But these three tweets stand out among all the rest, and so sparked my curiosity.

Upon closer examination, I noticed the articles in question were not listed among the others on the main pages of their respective publications, and they also did not appear in the archives.

By dragging my cursor over part of the article in an effort to highlight a paragraph, I noticed that the entire text was being displayed as an image, unlike other articles from the same publications.

Further examination revealed a big surprise - the articles in question had a very faint watermark of The Jester's trademark harlequin icon behind the text of the first paragraph.

I immediately took screenshots of all three articles. The harlequin watermark is most clearly visible in The Malta Independent Online article.

Click on the following images to view them on Flickr, then view the images at an extreme angle (as in tilt your screen) to reveal The Jester's calling card:

Update: We have added some enhanced images below the screenshots that clearly show the watermark.

Malta Independent:


(Screenshot above - enhanced image below to show watermark)


The Tripoli Post:

Jester Tripoli Psy Op 1

(Screenshot above - enhanced image below to show watermark)


To view the original images, go directly to The Jester's Twitter page and click on the links as tweeted (before they disappear).

After finding the watermarks, I contacted a more technically knowledgeable colleague to get their opinion on the discovery. I copy/pasted the links and sent them via instant message. When my colleague clicked on the links, they did not lead to the articles in question, but instead called up the main pages of the publications.

I directed them to go to The Jester's Twitter page and click the links contained in the tweets, which in turn did reveal the watermarked postings. My colleague surmised that The Jester was injecting the code for an image of the fabricated articles using "" links and Twitter as vehicles for the task.

My colleague, who preferred to remain unnamed in this article, concluded that The Jester was performing some kind of "a intermediary-based code injection, probably because the target websites (Tripoli Post and Malta Independent) don't parse 'get' requests. Its looks like it was just a quick workaround."

Update: Michael Menefee, Founder of Infosec Island, did some technical analysis and offers an explanation of the "non-persistent injection" technique The Jester is using:

Malta Independent:

The Jester's twitter account has a link to a url which redirects to the source code of that page is:

jester code 2


This is basically an automatic redirect to The Malta Independent Online, injecting the image as a search query, which gets returned as a result.

The Tripoli Post: 

The image is only slightly visible on this one: (another of his requests) with roughly the same source code to facilitate an injection:

Jester Code 1

Understanding "how" is one thing, but we still need to know "why".

I sent a message to The Jester letting him know I was writing an article on the discovery, and gave him the opportunity to offer his own explanation. Given that I have not received a reply as of yet, I can only speculate as to The Jester's motivation for the operation and what is intended to be accomplished.

Having conducted several interviews with the hacktivist, and spent dozens of hours in IM chats, I would venture to say that his motivation probably stems from his patriotism and oft expressed concern for the lives of European and American military personnel who may be in put harm's way if the conflict in Libya persists.

Based on the contents of the planted articles, it seems the operation is intended to simply erode the morale of the Gaddafi loyalists and inspire some to either desert their posts or defect and join the opposition.

Only the Jester can tell us for sure. But one thing is for certain, The Jester continues to evolve in both his interests and his tactics, and has proven once again he is more than just a "one trick pony".

Possibly Related Articles:
Jester Patriot Hackers th3j35t3r Hacktivist Code Injection Libya psyops
Post Rating I Like this!
Amaroq When you think about it, his method for inserting false articles doesn't actually insert them into the news sites. It just uses a POST request to get the sites to load with the image in them.

How did he expect to wage a psyops campaign against Gadaffi's troops if only his fans could see the false search results? It would have no effect on Gadaffi's forces unless they could find the falsified search results through their daily activities.
Amaroq And yet there is a lot more potential for exploiting this method. Rather than just an image tag, he could've inserted valid html. That valid html could've contained code to make the title into a link that sends another injected POST request, so that you could click the title and bring up a falsified article with the search results made invisible via css.

The only problem would still be how to get a link to the modified search results onto the site itself. But if you could do that, you probably wouldn't need to inject search results.
Amaroq ...The possibilities are endless. If those sites allowed their viewers to comment, he could've added a url to the comments, asking innocently, "Is it true that Gadaffi's soldiers are abandoning him?"

From there, he could trap viewers into an "alternate reality" of the original site. Javascript DOM techniques coupled with AJAX techniques (when needed) could, theoretically, allow him to show his victims the "front page" with injected headlines that could be browsed to.

It all hinges on that initial contact through the obfuscated link.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked