Feeds

Techies at The Onion: Here's how Syrian Electronic Army hacked our Twitter

New password: OnionMan77

Reducing security risks from open source software

Techies at satirical news outfit The Onion have posted an informative explanation about how pro-Assad hacktivists from the Syrian Electronic Army hijacked their official Twitter account on Monday.

Previously the Syrian Electronic Army (SEA) has shanghaied its way into the official Twitter feeds of AP and the Guardian, using the former to post a tweet falsely claiming that there had been an explosion at the white House. The tweet caused the Dow Jones to briefly plummet, before stocks recovered after everyone realised it was a hoax.

We don't know how the keys to the AP or Guardian feeds were purloined, but in Monday's break-in to @theonion the SEA used a multi-phase phishing attack, techies at "America's Finest News Source" explained.

The first phase of the assault attempted to trick Onion staff into following a link purportedly to an article about The Onion published by The Washington Post. That link led to a fake site set up by hackers that requested Google Apps credentials. In turn, these credentials allowed the hacktivists to get into the Onion's Gmail accounts.

Hackers then used the compromised accounts to send out further phishing emails along the same lines - but this time the emails came from a trusted source. At this point the hacktivists struck gold: one of the two compromised accounts was associated with The Onion's social media accounts, allowing the pro-Assad group to hijack @TheOnion. Followers wondered whether or not updates such as “UN retracts report of Syrian chemical weapon use: Lab tests confirm it is Jihadi body odor” were unusually edgy satire or a sign that the feed had been kidnapped.

Th3 Pr0, a member of the SEA, told The New York Times that his crew targeted The Onion because of a recent parody supposedly put together by Syrian President Bashar Al-Assad, entitled: “Hi, In The Past 2 Years, You Have Allowed Me To Kill 70,000 People.”

The attack prompted techies at The Onion to email staff advising them to change their passwords. The hacktivists responded with an attempt to sow confusion by sending out a fake password reset message with links back to their credential-stealing page. Cannily, the SEA ensured none of these phishing emails went to anyone on the Onion's tech support team. This fresh assault trapped two new victims, one of whose accounts was subsequently abused to keep control of the seized Twitter profile.

The Onion's editorial team responded to the hack by posting articles mocking its attackers, such as "Syrian Electronic Army Has A Little Fun Before Inevitable Upcoming Deaths At Hands Of Rebels". The SEA briefly (and humourlessly) retaliated by posting editorial email information on Twitter before the account was returned to its rightful owners.

In the aftermath of the hack The Onion's techies said user education about phishing is a vital first step against guarding against attacks against corporate social networking feeds.

Taking over a Twitter account is possible through a variety of mechanisms including phishing, password guessing, weak password reset set-ups and use of the same login credentials on Twitter and a site that becomes the victim of a password database compromise.

Isolating Twitter-linked accounts from regular email accounts and other preventive steps can limit the scope for mischief that arises from successful phishing attacks, while having alternative ways to contact employees if anything goes wrong can help resolve the results of any security breach quickly, the Onion tech team further suggests.

Two-step authentication techniques, such as sending a code by SMS to pre-registered phones to confirm password changes or use of tokens, promises to clamp down on account hijacking, which has peaked over recent weeks. Twitter is set to roll out two-step authentication in the near future.

All this sounds fair enough, and far better than the satirical notice that "The Onion Twitter password has been changed to OnionMan77" or its top tips for other media outlets on how to avoid getting hacked.

Additional security-related comment on the incident, alongside screenshots of several fake Tweets put out by the SEA, can be found in a blog post by Sophos. ®

Mobile application security vulnerability report

More from The Register

next story
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Microsoft: You NEED bad passwords and should re-use them a lot
Dirty QWERTY a perfect P@ssword1 for garbage websites
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
L33t haxxors compete to p0wn popular home routers
EFF-endorsed SOHOpelessly Broken challenge will air routers' dirty zero day laundry
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
Crooks fling banking Trojan at Japanese smut site fans
Wait - they're doing online banking with an unpatched Windows PC?
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.