The Syrian Electronic Army (SEA) phished Google Apps accounts belonging to Onion employees using three separate methods. On May 3, 2013, the SEA sent phishing emails to Onion employees from address that appeared odd. They sent these emails to just a few Onion employees. This kept the SEA from being detected.
One Onion employee fell for the phishing attack. Once the SEA had access to this employee’s account, they used it to send the same email to multiple Onion employees. Here’s what happened:
- Other staff members at Onion clicked the link because it was sent to them by a trusted address.
- Most of Onion’s employees were smart enough to refrain from entering important login credentials.
- Unfortunately, two employees from Onion did enter their credentials.
- One of the employees had access to all of the company’s social media accounts.
- Once the company realized that an account was compromised, they sent out a company-wide email asking every employee to change their email passwords immediately.
- The attacker used their access to hack another undiscovered account
- The hacker sent a duplicated copy of the email, along with a link disguised as a password-reset link.
- This went undetected because the duplicated email wasn’t sent to IT teams or any member of the technical department.
The third phishing attack was the final one; it compromised two more accounts. One of the accounts was used for Onion’s Twitter account. Once the third attack occurred, the editorial staff at Onion published articles referencing the attack. One of the articles is noted here:
Syrian Electronic Army Has A Little Fun Before Inevitable Upcoming Deaths At Hands Of Rebels | The Onion – America’s Finest News Source.
These articles made the SEA angry, and in retaliation they posted editorial emails on Onion’s Twitter account. The staff at Onion decided that none of their accounts were safe because there was no way to tell which accounts had been compromised, and which hadn’t. So all Onion employees were required to reset their passwords.
Ensure This Doesn’t Happen to You
The SEA wasn’t using complex methods of attack. This becomes clear when we examine incident, and others like this one such as the Guardian and Associated Press attacks. All of these attacks were accomplished using simple phishing strategies; possibly using dictionary attacks, that are easily preventable if you employ a few simple security measures.
- Keep email addresses for Twitter accounts isolated from emails that your staff typically uses. This will help ensure your Twitter accounts aren’t vulnerable to phishing.
- Always use unique and strong passwords for every account.
- Make sure that all users are educated and suspicious of any links asking for login information, regardless of who sent the link.
- To prevent a hacker from taking ownership of accounts, restrict all password-based access.
- Ensure that all Twitter activity goes through some kind of application such as HootSuite.
- Try to find a way to communicate to users without using their organisational email. The SEA posted screenshots of multiple internal security emails during the Guardian hack. This was probably due to a compromised email address that was overlooked.
Have questions about your business technology security? Give us a call and book a time with our Information Technology security experts today. We are your technology support experts, we are here to help you.