The Onion has released a detailed account of how it believes the Syrian Electronic Army hacked into its extremely popular Twitter account the other day, providing a rare glimpse at the simple yet devious spear-phishing emails that can crack major media outlets — and probably you. There are easy ways to avoid such open-and-click hacks (even The Onion has "tips"), but it's also pretty easy to see how The Onion, which guards its nearly 5-million follower account tightly despite the occasional mess-up, could have fallen for the infected link. It all started with this email, sent to a few staffers on Monday before the @TheOnion takeover a few hours later:
Here's what you can do to be smarter than the editors at The Onion, even if they're still funnier than you:
1. Quadruple-check the sender's email address.
The first rule of not getting spear-phished — after you understand what that even means — is to check the full email address of a shady email. If the user name or URL look strange, don't click the link therein. If, say, a U.N. refugee agency isn't usually sending you Washington Post stories about your day job, maybe think twice about it, too. But it only takes one person to fall for the link and transform what seems like a simple email attack into a far more sophisticated one — and "at least one Onion employee fell for this phase of the phishing attack," The Onion's tech team explains in their post from last night. (Employees at several other online news organizations, apparently, did not fall for it.)
2. Check the links or attachments closely.
Even if step one seems easy, avoiding a hack takes a little more sleuthing. With that one compromised email account, the SEA hackers sent the same malicious link using a trusted address, which is where things started to fall apart:
Once the attackers had access to one Onion employee’s account, they used that account to send the same email to more Onion staff at about 2:30 AM on Monday, May 6. Coming from a trusted address, many staff members clicked the link, but most refrained from entering their login credentials.
As the Onion post explains, that supposed Washington Post link (DO NOT CLICK THIS) went to "http://hackedwordpresssite.com/theonion.php," which redirected to the less evil looking URL
"http://googlecom.comeze.com/a/theonion.com/Service.Login?&passive=1209600&cpbps=1&continue=https://mail.google.com/mail/." Again, don't click them, but suffice it to say they don't have anything to do with a serious Washington Post article. If you right-click a link to copy the URL into your browser bar — rather than just clicking straight through — you can see where you'll end up. It's a good workaround to save yourself the redirect hell.
3. Never, ever enter your username and password.
This is easier said than done. But even after getting you to click a link, the likes of the SEA hackers can only get access to, say, you're Twitter account if you're like the two Onion staffers who clicked the link and then also entered their email addresses and passwords into what looked like a Google Accounts login box. Turns out one of the two had access to all The Onion's social media accounts. And the hack perpetuated from there. (Which also might be a reason not to save your important company-wide passwords in your Gmail account.)
The Onion's tell-all also suggests that other Syrian Electronic Army hacks — the AP, BBC Weather, 60 Minutes, and more — went down by way of similar, simple means. In fact, many of the media hacking attacks over the last six months, such as The New York Times and The Wall Street Journal, were traced back to spear-phishing. It's pretty amateur stuff, but also pretty easy to fall for — so a little paranoia goes a long way. So does a little humor.