Feeds

Techies at The Onion: Here's how Syrian Electronic Army hacked our Twitter

New password: OnionMan77

The Essential Guide to IT Transformation

Techies at satirical news outfit The Onion have posted an informative explanation about how pro-Assad hacktivists from the Syrian Electronic Army hijacked their official Twitter account on Monday.

Previously the Syrian Electronic Army (SEA) has shanghaied its way into the official Twitter feeds of AP and the Guardian, using the former to post a tweet falsely claiming that there had been an explosion at the white House. The tweet caused the Dow Jones to briefly plummet, before stocks recovered after everyone realised it was a hoax.

We don't know how the keys to the AP or Guardian feeds were purloined, but in Monday's break-in to @theonion the SEA used a multi-phase phishing attack, techies at "America's Finest News Source" explained.

The first phase of the assault attempted to trick Onion staff into following a link purportedly to an article about The Onion published by The Washington Post. That link led to a fake site set up by hackers that requested Google Apps credentials. In turn, these credentials allowed the hacktivists to get into the Onion's Gmail accounts.

Hackers then used the compromised accounts to send out further phishing emails along the same lines - but this time the emails came from a trusted source. At this point the hacktivists struck gold: one of the two compromised accounts was associated with The Onion's social media accounts, allowing the pro-Assad group to hijack @TheOnion. Followers wondered whether or not updates such as “UN retracts report of Syrian chemical weapon use: Lab tests confirm it is Jihadi body odor” were unusually edgy satire or a sign that the feed had been kidnapped.

Th3 Pr0, a member of the SEA, told The New York Times that his crew targeted The Onion because of a recent parody supposedly put together by Syrian President Bashar Al-Assad, entitled: “Hi, In The Past 2 Years, You Have Allowed Me To Kill 70,000 People.”

The attack prompted techies at The Onion to email staff advising them to change their passwords. The hacktivists responded with an attempt to sow confusion by sending out a fake password reset message with links back to their credential-stealing page. Cannily, the SEA ensured none of these phishing emails went to anyone on the Onion's tech support team. This fresh assault trapped two new victims, one of whose accounts was subsequently abused to keep control of the seized Twitter profile.

The Onion's editorial team responded to the hack by posting articles mocking its attackers, such as "Syrian Electronic Army Has A Little Fun Before Inevitable Upcoming Deaths At Hands Of Rebels". The SEA briefly (and humourlessly) retaliated by posting editorial email information on Twitter before the account was returned to its rightful owners.

In the aftermath of the hack The Onion's techies said user education about phishing is a vital first step against guarding against attacks against corporate social networking feeds.

Taking over a Twitter account is possible through a variety of mechanisms including phishing, password guessing, weak password reset set-ups and use of the same login credentials on Twitter and a site that becomes the victim of a password database compromise.

Isolating Twitter-linked accounts from regular email accounts and other preventive steps can limit the scope for mischief that arises from successful phishing attacks, while having alternative ways to contact employees if anything goes wrong can help resolve the results of any security breach quickly, the Onion tech team further suggests.

Two-step authentication techniques, such as sending a code by SMS to pre-registered phones to confirm password changes or use of tokens, promises to clamp down on account hijacking, which has peaked over recent weeks. Twitter is set to roll out two-step authentication in the near future.

All this sounds fair enough, and far better than the satirical notice that "The Onion Twitter password has been changed to OnionMan77" or its top tips for other media outlets on how to avoid getting hacked.

Additional security-related comment on the incident, alongside screenshots of several fake Tweets put out by the SEA, can be found in a blog post by Sophos. ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.