The technical team that runs The Onion's online operation has issued a detailed explanation of how the Syrian Electronic Army managed to gain control of the satirical website's Twitter account earlier this week by first coaxing Google Apps credentials out of a few employees.
The episode began on or about May 3 with a phishing email sent to "various Onion employees," according to a post on The Onion Tech Blog, which appears to be brand new (yes, I asked, and it's legit). Here's what that email looked like:
While the URL appears legitimate, I am frankly surprised that anyone would take this bait, given that the excessive formality of the greeting - "Dear The Onion Journalists" - and the stilted sentence construction of "Please read the following article for its importance" both seem clear signs of a phishing attempt by someone for whom English is not their primary language.
However, the URL was not from the Washington Post - it redirected to a phishing site - and not everyone at The Onion picked up on the red flags.
These emails were sent from strange, outside addresses, and they were sent to few enough employees to appear as just random noise rather than a targeted attack. At least one Onion employee fell for this phase of the phishing attack.
Once the attackers had access to one Onion employee's account, they used that account to send the same email to more Onion staff at about 2:30 AM on Monday, May 6. Coming from a trusted address, many staff members clicked the link, but most refrained from entering their login credentials. Two staff members did enter their credentials, one of whom had access to all of our social media accounts.
Even at that point there was a chance the attack could have been thwarted, but the phishers were persistent.
After discovering that at least one account had been compromised, we sent a company-wide email to change email passwords immediately. The attacker used their access to a different, undiscovered compromised account to send a duplicate email which included a link to the phishing page disguised as a password-reset link. This dupe email was not sent to any member of the tech or IT teams, so it went undetected. This third and final phishing attack compromised at least 2 more accounts. One of these accounts was used to continue owning our Twitter account.
And while the headline on this post says there was nothing funny about all of this, that isn't literally true, because, after all, we're talking about The Onion.
At this point the editorial staff began publishing articles inspired by the attack. The second article, Syrian Electronic Army Has A Little Fun Before Inevitable Upcoming Deaths At Hands Of Rebels, angered the attacker who then began posting editorial emails on their Twitter account. Once we discovered this, we decided that we could not know for sure which accounts had been compromised and forced a password reset on every staff member's Google Apps account.
The post concludes with a number of tips for helping your organization avoid this type of trouble.
Welcome regulars and passersby. Here are a few more recent buzzblog items. And, if you’d like to receive Buzzblog via e-mail newsletter, here’s where to sign up. You can follow me on Twitter here and on Google+ here.