Twitter accounts belonging to The Guardian newspaper have fallen at the hands of hackers belonging to the Syrian Electronic Army.
The hackers have been making a habit of breaking into high profile Twitter accounts in recent weeks – their attack on AP’s Twitter account where they posted fake news of an explosion at the White House, actually managed to cause a drop in the Dow Jones.
In this most recent incident, unauthorised messages were posted from the newspaper’s @GuardianSustBiz and @BusinessDesk accounts earlier today:
Follow the Syrian Electronic Army... Follow the truth! @Official_SEA12 #SEA #Syria
The suspicion is that the hackers have been targeting potential victims with phishing emails.
For instance, if the attackers were to send a convincing looking email to a news agency, claiming to be a link to a breaking news story, recipients might be fooled into clicking on it and being tricked into entering their Twitter account details.
With many media organisations allowing a wide range of staff to updatet their official Twitter accounts, it only requires one worker to be fooled by an attack for the account password to fall into the wrong hands.
The phishing theory certainly seems to be shared by James Ball, a journalist at The Guardian who tweeted about a phishing attack:
The guys doing the Guardian phishing attack I mentioned yesterday (it's SEA) are really very good: sustained, changing, mails today.
James Ball’s tweet was an update to an earlier message he had posted over the weekend:
Hm. Phishing attack specifically targeted at Guardian journalists in my inbox right now. SEA at work again?
According to some media reports, a total of 11 accounts belonging to The Guardian were hijacked – and although some have been recovered, others appear to either still be harbouring the unauthorised tweets or to have been suspended by Twitter security.
Hopefully, The Guardian will seize control back of all its accounts soon – and will join the growing band of organisations hoping that Twitter introduces stronger security for corporate accounts.
Make sure that the staff in your company are on the lookout for suspicious emails, and are clued-up about safe password usage to reduce the chances of being phished.