The pro-Assad Syrian Electronic Army has had its fair share of huge hacking attempts. With propaganda messages spilling out from outlets like the Associated Press and The Guardian, hacks from the group have become more prevalent than ever before on media outlets.
However, they made a mistake earlier this month: hacking The Onion. The online parody newspaper seemed an unlikely target of the SEA, but the result was very similar to other outlets — multiple tweets promoting Assad and the triumph of the SEA. Most outlets who have been victims of an SEA attack have reacted by merely announcing that it happened.
That wasn’t enough for The Onion’s tech team, which decided to break down every level of SEA’s multilayer phishing attack and describe to the public, in great detail, how the SEA managed to find its way to The Onion’s accounts.
All told, it took three separate phishing attempts and only five compromised accounts for the SEA to pilfer the information they needed: access to The Onion’s social media accounts. It’s not terribly surprising that the hackers were able to find someone with social media credits — depending on the outlet involved, anywhere from a group to nearly every employee can have access to social media as a way to heighten the throughput of social blasts for new articles.
In all cases, it also involved duping unsuspecting users. While the SEA had a pretty low trap rate when sending random emails to targeted accounts, more people fell for the suspect link when it came from a compromised account of a trusted user. It’s a wonder that the SEA managed to avoid the tech team enough to execute the attack, but once they did, every user had to reset their passwords to prevent further security breaches.
In truth, The Onion’s post-mortem on their embarrassing attack did plenty of good for journalism at large. Especially because it showed that hacking attempts aren’t something to be ashamed of, but they should be brought to the public so it doesn’t happen to other companies.
Think you may be at risk? Here’s the advice from the tech folks at the Onion:
- Make sure that your users are educated, and that they are suspicious of all links that ask them to log in, regardless of the sender.
- The email addresses for your twitter accounts should be on a system that is isolated from your organization’s normal email. This will make your Twitter accounts virtually invulnerable to phishing (providing that you’re using unique, strong passwords for every account).
- All twitter activity should go through an app of some kind, such as HootSuite. Restricting password-based access to your accounts prevents a hacker from taking total ownership, which takes much longer to rectify.
- If possible, have a way to reach out to all of your users outside of their organizational email. In the case of the Guardian hack, the SEA posted screenshots of multiple internal security emails, probably from a compromised email address that was overlooked.
The first point here is perhaps most important: the only way that hackers gain information is if they are presented with an opportunity to take it from you. Faulty log-ins can dupe even the most astute folks, so incorporate it into your own cybersecurity plan and never remember. And, keep in mind: when you see a new email, always be skeptical!
Of course, despite the attack, The Onion also poked a little fun at the SEA’s expense.
What do you think of the recent hacking attempts aimed at publications? Let us know in the comments.
- Apply for the Matter International Reporting Fellowship
- Uncertain Future for NY Times Reporter Protecting Confidential Source
- BBC Pop Up Launches in Colorado
- Journos React to News of a Filtered Twitter