The Syrian Electronic Army hacked into The Onion’s Twitter account on Monday, publishing fake anti-Israeli stories and an anti-Obama “meme” image.
Then the satirical news publication kept tongue firmly in cheek with a post, titled “Syrian Electronic Army Has A Little Fun Before Inevitable Upcoming Deaths At Hands Of Rebels”:
"We figured that before they bust in here and execute every single one of us, we might as well have a good time and post some silly tweets about Israel from a major media outlet’s feed."
By Wednesday, after it had served up tips to avoid getting hacked,* the Onion’s tech team got serious and posted this writeup of how the takeover happened.
In a nutshell, the Onion fell prey to phishing, with three separate methods that breached Onion employees’ Google Apps accounts.
The first attempt came around May 3, when the SEA sent phishing emails to some Onion employees. It included a spoofed link, purportedly to an article about The Onion published by The Washington Post, which actually went through a few redirects before depositing its targets at a site that requested Google Apps credentials before redirecting to a Gmail inbox.
The tech team says that the emails came from “strange, outside addresses” and were sent to just a few employees, making them appear to be “just random noise rather than a targeted attack.”
At least one employee fell for it.
After breaching that account, the attackers used it to send the same phishing email to more Onion staff around 2:30 AM on Monday.
Coming from a trusted address, the email got a lot of click-throughs.
Most staffers refrained from entering their login credentials, but two fell for the ruse. Unfortunately, one of the two had access to all of The Onion’s social media accounts.
The Onion discovered that at least one account had been compromised and sent out an email asking that all staffers change passwords immediately.
But the attacker used another undiscovered, compromised account to send a duplicate email that again included a link to the phishing page, this time disguised as a password-reset link.
When the attackers sent this duplicate email, they cannily skipped sending it to members of The Onion’s tech or IT teams, ensuring it went undetected.
This third and final phishing attack compromised at least 2 more accounts, The Onion reports, one of which was used to further abuse the Twitter account.
That’s when the editorial team started to publish satirical articles inspired by the attack.
The article about how the SEA would soon be slaughtered provoked the attacker, who began posting editorial emails on their Twitter account.
At that point, The Onion figured it couldn’t know whose Google Apps accounts had been hacked, so it forced a password reset on everybody’s account.
The Onion published these tips to avoid getting our Twitter accounts hacked. These are the ones that we should all take seriously:
- Make sure that your users are educated, and that they are suspicious of all links that ask them to log in, regardless of the sender.
- The email addresses for your Twitter accounts should be on a system that is isolated from your organization’s normal email. This will make your Twitter accounts virtually invulnerable to phishing (providing that you’re using unique, strong passwords for every account).
[Note: either use a password manager to generate and store passwords or check out Graham Cluley’s method to create a strong password.]
- All Twitter activity should go through an app of some kind, such as HootSuite. Restricting password-based access to your accounts prevents a hacker from taking total ownership, which takes much longer to rectify.
- If possible, have a way to reach out to all of your users outside of their organizational email. In the case of the Guardian hack, the SEA posted screenshots of multiple internal security emails, probably from a compromised email address that was overlooked.
*Tips to avoid getting hacked that you should not take seriously, also courtesy of The Onion, via National Public Radio:
- Move site to a new web address every few minutes.**
- Reduce interest in your website by avoiding popular subjects.***
- If you receive an email asking for your password, dig deeper by entering information.****
[**This is impossible.]
[***This is inadvisable if you want anybody to read your site.]
[****No, no, no, no, no.]