On May 6th, popular satirical news site the Onion became the latest victim in a series of Twitter account hacks by a group called the Syrian Electronic Army. Their regular tweets to farcical articles and funny videos were replaced with politically-tinged messages as well as “The Syrian Electronic Army Was Here.”
In recent weeks, the group has managed to hack NPR, the Associated Press, the Guardian and CBS, among others. So how have they been able to gain access to these social media accounts? The Onion’s tech team has explained in a blog post how it happened to them and offered 4 tips for social media security.
Three Simple Phishing Techniques
Ultimately, the hackers used three different methods to phish the Google Apps accounts of Onion employees. They started off by sending phishing emails which used a link disguised as a Washington Post article to prompt employees to enter their Google Apps credentials (including passwords). This gained them access to the account of at least one employee who entered their information.
The second method involved sending further phishing emails from that one employee’s account. These emails gained more traction since they were sent by a staff member trusted by his or her peers.
At this point the tech team found out that accounts had been compromised and sent an email to all employees asking that they change their passwords. The hackers then mimicked that security email and included a link to a phishing page disguised as a password reset, which at least two employees filled out. In total, 5 Google Apps accounts were compromised through the three phishing schemes.
With all of the credentials they gathered using these techniques, the Syrian Electronic Army was able to gain control of the Onion’s Twitter account and send out several Tweets. A company-wide password reset was ultimately used to resolve the issue.
4 Tips from the Onion’s tech team
The Onion’s tech team concluded that the hackers’ methods were very basic and could be prevented with a few simple security measures. The four measures they suggest are, word for word, as follows:
- “Make sure that your users are educated, and that they are suspicious of all links that ask them to log in, regardless of the sender.”
- “The email addresses for your twitter accounts should be on a system that is isolated from your organization’s normal email. This will make your Twitter accounts virtually invulnerable to phishing (providing that you’re using unique, strong passwords for every account).”
- “All twitter activity should go through an app of some kind, such as HootSuite. Restricting password-based access to your accounts prevents a hacker from taking total ownership, which takes much longer to rectify.”
- “If possible, have a way to reach out to all of your users outside of their organizational email. In the case of the Guardian hack, the SEA posted screenshots of multiple internal security emails, probably from a compromised email address that was overlooked.”
Other Resources on Social Media Security:
A guide to HootSuite’s security features: http://socialbusiness.hootsuite.com/hootguide-social-media-security.html
HootSuite’s CEO Ryan Holmes provides tips on “How Not to Have Your Social Media Accounts Hacked”: https://blog.hootsuite.com/ryanholmes-linkedin-social-media-security/
Ryan Holmes’ “7 Ways to Hack-Proof Your Companies Social Media”: https://blog.hootsuite.com/7-ways-hack-proof-social-media/
Ryan Holmes on “How HootSuite Protects Your Social Network Identity” for Bloomberg West: https://blog.hootsuite.com/how-hootsuite-protects-your-social-network/
A HootSuite University Lecture Series on “How to Protect Your Brand Against Social Media Hackers”: https://blog.hootsuite.com/social-media-security-webinar/