The Syrian Electronic Army, a hacking collective which seems to be pro-Syrian government, has been on a Twitter hacking roll lately. They’ve managed to compromise the accounts of many major news outlets, notably the Twitter account of the Associated Press, the Guardian, E! The compromised accounts were then used to spread pro-Syrian government messages and even fake news – news which led to a temporary dip in the Dow Jones and huge $136 billion in value. The latest victim of this hacking spree has been the satirical news website “The Onion”. After taking these attacks with a pinch of salt and posting several satirical articles, The Onion has posted an article detailing how this was done.
This was a targeted phishing attack and the SEA sent several phishing emails to staff members of The Onion. They knew that any journalist would be interested in their email and click on a link. In fact, their email prompted the user to enter their Google Credentials to access the link. This was done repeatedly using the same or similar methods until they succeeded in getting the credentials to all their social media accounts.
The same techniques were used to get the passwords for the Associated Press Twitter account – by luring people with targeted content that spiked their interest. What is key to their success is the fact that every time their email looked and read legitimate, hoodwinking the users.
The Onion have also published the following tips to ensure that other high profile Twitter accounts don’t get compromised
- Make sure that your users are educated, and that they are suspicious of all links that ask them to log in, regardless of the sender.
- The email addresses for your Twitter accounts should be on a system that is isolated from your organization’s normal email. This will make your Twitter accounts virtually invulnerable to phishing (providing that you’re using unique, strong passwords for every account).
- All Twitter activity should go through an app of some kind, such as HootSuite. Restricting password-based access to your accounts prevents a hacker from taking total ownership, which takes much longer to rectify.
- If possible, have a way to reach out to all of your users outside of their organizational email. In the case of the Guardian hack, the SEA posted screenshots of multiple internal security emails, probably from a compromised email address that was overlooked.
This story raises a number of questions that management in any organization should be asking:
How easily could the staff of our company fall for a targeted phishing attack? Using the Twitter, Facebook, or Google account credentials to sign into websites has become almost the norm today and users do so without thinking about the risks and security repercussions. What would happen if users received a faked password reset email that asked them for their credentials? Would they believe it? Have you tried or considered testing your staff with a control phishing exercise? Do you think education is enough or do you need specific tools to ensure employees are protected against these types of phishing attacks? Leave a comment below and let us know.
David Attardon May 31, 2013