The Onion details SEA/Twitter compromise
Source: The Onion
The technical team at The Onion – "America's Finest News Source" and renowned satire site – has detailed how its Twitter account was compromised this week and gives an insight into how the Syrian Electronic Army (SEA) stage these hijackings, which have also affected the AP and The Guardian. The Onion Twitter account hijacking, which confused readers who were unsure whether it was The Onion operating in satirical mode, began with a phishing attack that tricked Onion staff into clicking an apparent "Washington Post" URL. This actually sent the staff members to a site which redirected them to a site that asked for Google Apps credentials and, once given, sent them on to their Gmail inbox.
These mails came from unknown email addresses, but eventually the phishing gave the SEA one of the employee's accounts. Rather than try to stage an attack with these credentials, the SEA hacker used the email account to send out more phishing mail, but this time from a trusted source. It was one of the two victims of this pass who had access to all of the The Onion's social media accounts, which enabled the attackers to use the hijacked account to start sending SEA messages.
When the technical team realised one account had been compromised, a password-reset email was sent telling users to reset the password immediately. Unfortunately the attacker used this as a further opportunity to send out a fake password reset message with a link to the credential-stealing page. To prevent it being detected, they also ensured that the technical team would not get this email. This final pass compromised two more accounts, one of which was used to retain possession of the Twitter account.
The Onion's editorial team started writing articles mocking the attacker who retaliated by posting editorial email information to Twitter. At this point, the technical team "forced a password reset on every staff member’s Google Apps account". The Onion's advice is to educate all users to be suspicious of all links that ask a user to log in, to isolate Twitter account emails from normal email and to use a Twitter app that can restrict password-based access to the accounts. They also suggest that organisations ensure they have an alternative way of contacting employees that can be used when dealing with such a compromise.
Elsewhere on The Onion site, in news more in keeping with the publication's ethos: The Onion Twitter password has been changed to OnionMan77.
(djwm)