The Onion, the Internet’s favorite parody news site, was recently the victim of a hack that compromised their corporate Google Accounts as well as their Twitter accounts. They were hacked by the Syrian Electronic Army (SEA). [You may have heard of the SEA.] They’re the group that hacked into the AP Twitter account and announced that two bombs went off in the White House injuring President Obama. This news sent the DOW plummeting; erasing billions of dollars from the exchanges. [Yeah, those guys.] Using the same method, phishing, the SEA orchestrated a three-staged social engineering attack that yielded access to the The Onion staff Google accounts and Twitter accounts. Let’s take a look at how they did it.
Step one: SEA sent out a limited-audience phishing email targeted at the reporters and writers. The email looked like an email from the Washington Post encouraging the recipients to review the linked article.
Instead of linking to a legitimate Washington Post article, the link presented users with a prompt to enter their Google Account credentials. Because this email was sent from an unknown outside address, not a lot of people clicked on it (let alone enter their credentials), but one did. That’s all it takes.
Step two: Using the Gmail account of the person who entered their credentials, the hackers sent the same email out to different members of The Onion staff. Because this email came from a presumed trusted source, an Onion employee, it had a much higher success rate. One of the users who entered credentials had access to all the company’s social media accounts. Now the hackers had access to all The Onion’s social media.
The Onion IT sent out important emails requiring everyone to reset their passwords. What The Onion staff didn’t realize is the hackers had access to another, previously unknown account and were monitoring things.
Step three: When the hackers saw the password reset email go out, they immediately sent another phishing email, to all staff except IT, with a password reset link! This duplicate message compromised even more accounts and the SEA began posting editorials under The Onion’s Twitter account. The final step was a forced reset of every Onion employee account.
Consistent, real world education is the only way to protect your organization from the threats of social engineering. Once again we see another high profile hack, perpetrated by sophisticated hackers, utilizing the tried and true methods of social engineering… a relatively low-tech approach.