Techies at satirical news outfit The Onion have posted an informative explanation about how pro-Assad hacktivists from the Syrian Electronic Army hijacked their official Twitter account on Monday.
Previously the Syrian Electronic Army (SEA) has shanghaied its way into the official Twitter feeds of AP and the Guardian, using the former to post a tweet falsely claiming that there had been an explosion at the white House. The tweet caused the Dow Jones to briefly plummet, before stocks recovered after everyone realised it was a hoax.
We don't know how the keys to the AP or Guardian feeds were purloined, but in Monday's break-in to @theonion the SEA used a multi-phase phishing attack, techies at "America's Finest News Source" explained.
The first phase of the assault attempted to trick Onion staff into following a link purportedly to an article about The Onion published by The Washington Post. That link led to a fake site set up by hackers that requested Google Apps credentials. In turn, these credentials allowed the hacktivists to get into the Onion's Gmail accounts.
Hackers then used the compromised accounts to send out further phishing emails along the same lines - but this time the emails came from a trusted source. At this point the hacktivists struck gold: one of the two compromised accounts was associated with The Onion's social media accounts, allowing the pro-Assad group to hijack @TheOnion. Followers wondered whether or not updates such as “UN retracts report of Syrian chemical weapon use: Lab tests confirm it is Jihadi body odor” were unusually edgy satire or a sign that the feed had been kidnapped.
Th3 Pr0, a member of the SEA, told The New York Times that his crew targeted The Onion because of a recent parody supposedly put together by Syrian President Bashar Al-Assad, entitled: “Hi, In The Past 2 Years, You Have Allowed Me To Kill 70,000 People.”
The attack prompted techies at The Onion to email staff advising them to change their passwords. The hacktivists responded with an attempt to sow confusion by sending out a fake password reset message with links back to their credential-stealing page. Cannily, the SEA ensured none of these phishing emails went to anyone on the Onion's tech support team. This fresh assault trapped two new victims, one of whose accounts was subsequently abused to keep control of the seized Twitter profile.
The Onion's editorial team responded to the hack by posting articles mocking its attackers, such as "Syrian Electronic Army Has A Little Fun Before Inevitable Upcoming Deaths At Hands Of Rebels". The SEA briefly (and humourlessly) retaliated by posting editorial email information on Twitter before the account was returned to its rightful owners.
In the aftermath of the hack The Onion's techies said user education about phishing is a vital first step against guarding against attacks against corporate social networking feeds.
Taking over a Twitter account is possible through a variety of mechanisms including phishing, password guessing, weak password reset set-ups and use of the same login credentials on Twitter and a site that becomes the victim of a password database compromise.
Isolating Twitter-linked accounts from regular email accounts and other preventive steps can limit the scope for mischief that arises from successful phishing attacks, while having alternative ways to contact employees if anything goes wrong can help resolve the results of any security breach quickly, the Onion tech team further suggests.
Two-step authentication techniques, such as sending a code by SMS to pre-registered phones to confirm password changes or use of tokens, promises to clamp down on account hijacking, which has peaked over recent weeks. Twitter is set to roll out two-step authentication in the near future.
All this sounds fair enough, and far better than the satirical notice that "The Onion Twitter password has been changed to OnionMan77" or its top tips for other media outlets on how to avoid getting hacked.
Additional security-related comment on the incident, alongside screenshots of several fake Tweets put out by the SEA, can be found in a blog post by Sophos. ®