The Onion’s 4 Tips for Social Media Security

By Evan LePage • 12 months ago • 4 Comments

Screen Shot 2013-05-09 at 10.41.10 AM

On May 6th, popular satirical news site the Onion became the latest victim in a series of Twitter account hacks by a group called the Syrian Electronic Army. Their regular tweets to farcical articles and funny videos were replaced with politically-tinged messages as well as “The Syrian Electronic Army Was Here.”

In recent weeks, the group has managed to hack NPR, the Associated Press, the Guardian and CBS, among others. So how have they been able to gain access to these social media accounts? The Onion’s tech team has explained in a blog post how it happened to them and offered 4 tips for social media security.

Three Simple Phishing Techniques

An example of the phishing email that allowed the Syrian Electronic Army to gain access to the Onion's Twitter account.
An example of the phishing email that fooled Onion employees. Screenshot by the Onion Inc. Tech Blog on Github.

Ultimately, the hackers used three different methods to phish the Google Apps accounts of Onion employees. They started off by sending phishing emails which used a link disguised as a Washington Post article to prompt employees to enter their Google Apps credentials (including passwords). This gained them access to the account of at least one employee who entered their information.

The second method involved sending further phishing emails from that one employee’s account. These emails gained more traction since they were sent by a staff member trusted by his or her peers.

The Syrian Electronic Army hacked the Onion's Twitter account using three simple phishing techniques.
The Syrian Electronic Army hacked the Onion’s Twitter account using three simple phishing techniques. Screenshot by Vice.

At this point the tech team found out that accounts had been compromised and sent an email to all employees asking that they change their passwords. The hackers then mimicked that security email and included a link to a phishing page disguised as a password reset, which at least two employees filled out. In total, 5 Google Apps accounts were compromised through the three phishing schemes.

With all of the credentials they gathered using these techniques, the Syrian Electronic Army was able to gain control of the Onion’s Twitter account and send out several Tweets. A company-wide password reset was ultimately used to resolve the issue.

4 Tips from the Onion’s tech team

The Onion’s tech team concluded that the hackers’ methods were very basic and could be prevented with a few simple security measures. The four measures they suggest are, word for word, as follows:

  1. “Make sure that your users are educated, and that they are suspicious of all links that ask them to log in, regardless of the sender.”
  2. “The email addresses for your twitter accounts should be on a system that is isolated from your organization’s normal email. This will make your Twitter accounts virtually invulnerable to phishing (providing that you’re using unique, strong passwords for every account).”
  3. “All twitter activity should go through an app of some kind, such as HootSuite. Restricting password-based access to your accounts prevents a hacker from taking total ownership, which takes much longer to rectify.”
  4. “If possible, have a way to reach out to all of your users outside of their organizational email. In the case of the Guardian hack, the SEA posted screenshots of multiple internal security emails, probably from a compromised email address that was overlooked.”

Click here to learn more about HootSuite Enterprise or request a demo.

Other Resources on Social Media Security:

A guide to HootSuite’s security features: http://socialbusiness.hootsuite.com/hootguide-social-media-security.html

HootSuite’s CEO Ryan Holmes provides tips on “How Not to Have Your Social Media Accounts Hacked”: http://blog.hootsuite.com/ryanholmes-linkedin-social-media-security/

Ryan Holmes’ “7 Ways to Hack-Proof Your Companies Social Media”: http://blog.hootsuite.com/7-ways-hack-proof-social-media/

Ryan Holmes on “How HootSuite Protects Your Social Network Identity” for Bloomberg West: http://blog.hootsuite.com/how-hootsuite-protects-your-social-network/

A HootSuite University Lecture Series on “How to Protect Your Brand Against Social Media Hackers”: http://blog.hootsuite.com/social-media-security-webinar/

Author: Evan LePage

Evan LePage has written 180 posts for the HootSource blog..

Evan is a Social Content Writer for HootSuite. He writes features, news items, releases and all things HootSuite.

Up Next

What do Happy Clouds, the Fail Whale and a Helpful Octopus Have in Common?

4 comments
John Sutherland
John Sutherland

Well, thanks for the patently obvious! Problem is, even us tech-heads get caught out, so there is little hope for the non-cognoscenti. My really worry - seriously - is when the phishers and scammers start to use proper English. Then I fear we are royally screwed!

Jordan Behan
Jordan Behan

Your fear is a rational one John, but as Deb suggests above, I believe the key tip they shared is to look at the urls.

If we've (with a hat tip to the Onion's tech team) shed light on that one tip for even just a small handful of users, it's worth it.

Is this a good place to plug the fact that the HootSuite dashboard supports https?

Deb
Deb

I did this to an entire class when I was in school- they almost all signed in to a phony Yahoo log in page I emailed out and effectively gave me their passwords. I deleted them all but not until after they felt dumb for making such an obvious mistake.

Does no one actually look at the address bar before signing in somewhere?

Jordan Behan
Jordan Behan

Sneaky! Good to hear you're using skills for good though, Deb.

Go to Top