Seriously, this is how the Syrian Electronic Army hacked The Onion

Filed Under: Featured, Google, Malware, Phishing, Security threats, Twitter

The Syrian Electronic Army hacked into The Onion’s Twitter account on Monday, publishing fake anti-Israeli stories and an anti-Obama "meme" image.

The Onion twitter

Then the satirical news publication kept tongue firmly in cheek with a post, titled "Syrian Electronic Army Has A Little Fun Before Inevitable Upcoming Deaths At Hands Of Rebels":

"We figured that before they bust in here and execute every single one of us, we might as well have a good time and post some silly tweets about Israel from a major media outlet’s feed."

By Wednesday, after it had served up tips to avoid getting hacked,* the Onion's tech team got serious and posted this writeup of how the takeover happened.

In a nutshell, the Onion fell prey to phishing, with three separate methods that breached Onion employees' Google Apps accounts.

Syrian Electronic ArmyThe first attempt came around May 3, when the SEA sent phishing emails to some Onion employees. It included a spoofed link, purportedly to an article about The Onion published by The Washington Post, which actually went through a few redirects before depositing its targets at a site that requested Google Apps credentials before redirecting to a Gmail inbox.

The tech team says that the emails came from "strange, outside addresses" and were sent to just a few employees, making them appear to be "just random noise rather than a targeted attack."

At least one employee fell for it.

After breaching that account, the attackers used it to send the same phishing email to more Onion staff around 2:30 AM on Monday.

Coming from a trusted address, the email got a lot of click-throughs.

Most staffers refrained from entering their login credentials, but two fell for the ruse. Unfortunately, one of the two had access to all of The Onion's social media accounts.

The Onion discovered that at least one account had been compromised and sent out an email asking that all staffers change passwords immediately.

But the attacker used another undiscovered, compromised account to send a duplicate email that again included a link to the phishing page, this time disguised as a password-reset link.

When the attackers sent this duplicate email, they cannily skipped sending it to members of The Onion's tech or IT teams, ensuring it went undetected.

This third and final phishing attack compromised at least 2 more accounts, The Onion reports, one of which was used to further abuse the Twitter account.

The OnionThat's when the editorial team started to publish satirical articles inspired by the attack.

The article about how the SEA would soon be slaughtered provoked the attacker, who began posting editorial emails on their Twitter account.

At that point, The Onion figured it couldn't know whose Google Apps accounts had been hacked, so it forced a password reset on everybody's account.

The Onion published these tips to avoid getting our Twitter accounts hacked. These are the ones that we should all take seriously:

  • Make sure that your users are educated, and that they are suspicious of all links that ask them to log in, regardless of the sender.
  • The email addresses for your Twitter accounts should be on a system that is isolated from your organization’s normal email. This will make your Twitter accounts virtually invulnerable to phishing (providing that you’re using unique, strong passwords for every account).

    [Note: either use a password manager to generate and store passwords or check out Graham Cluley's method to create a strong password.]

  • All Twitter activity should go through an app of some kind, such as HootSuite. Restricting password-based access to your accounts prevents a hacker from taking total ownership, which takes much longer to rectify.
  • If possible, have a way to reach out to all of your users outside of their organizational email. In the case of the Guardian hack, the SEA posted screenshots of multiple internal security emails, probably from a compromised email address that was overlooked.

*Tips to avoid getting hacked that you should not take seriously, also courtesy of The Onion, via National Public Radio:

  • Move site to a new web address every few minutes.**
  • Reduce interest in your website by avoiding popular subjects.***
  • If you receive an email asking for your password, dig deeper by entering information.****

[**This is impossible.]
[***This is inadvisable if you want anybody to read your site.]
[****No, no, no, no, no.]

, , , , , , ,

You might like

5 Responses to Seriously, this is how the Syrian Electronic Army hacked The Onion

  1. Alan · 844 days ago

    You missed the best bit:

    Onion Twitter Password Changed To OnionMan77--'That Ought To Do It,' Company Sources Confirm

    "Onion IT specialist Nick Abersold, who noted that the new password’s length and use of numbers makes it “virtually impenetrable.” “There are no spaces, and the O and M are both capitalized—both tactics that I think will keep us safe for the foreseeable future. Also, there’s not one, but two 7s."

    • Lisa Vaas · 844 days ago

      That was a good bit. Hard to write about The Onion without wanting to excerpt everything they write, ya know? I should have written "just stop reading right now and go check out every post The Onion made."

  2. Interesting to read that such a 'high profile' company has someone working for them that still falls for a phishing scam - well executed or not, basic common sense would tell people not to respond to those emails in any way and visit the site itself directly before logging in.

    It still surprises me how so many 'intelligent' people continue to fall for such stupid antics - I wonder how many have actually contacted our friendly Nigerian diplomats...

  3. Thomas · 844 days ago

    The homepage of Google Apps prominently displays "Google Apps for Business:Discover a better way of working". Perhaps a good sales tool, but is it really a better way of working? It's about the same risk using Gmail, or any external webmail, compared to a dedicated internal server email program. Either way, you have to educate your employees, put some rules in place, and have an administrator enforce them. But putting your documents, calendar, spreadsheets, presentations, and files "in the cloud" and accessible to all who need them, as well as on devices they take out the door with them, seems like a security breach waiting to happen, at least to me. I guess I'm just too "old school". I put more value on security than on convenience.

  4. Obviously it's better not to get hacked in the first place, but given that what's done is done I love that The Onion managed to hilariously handle this entire situation "in character", if you will.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.