It seems high-profile social media hacks are all the rage. The organization taking credit for some of them, including the attack last week on The Onion, calls itself the Syrian Electronic Army (SEA). The Onion, for the few who don’t know, is a satirical news site that specializes in funny fake news stories. So it’s not surprising that some people doubted they’d been hacked at all – coming as it did on the heels of the AP Twitter attack. However, The Onion hacking gained credibility after they wrote about it on their technical blog – one that’s not as widely visited as their main news site.
Even more surprising, SEA wasn’t using some next-generation hacking technique that makes stopping these attempts so challenging – they used good, old-fashioned phishing! Phishing and its close relatives spear-phishing and whaling have been around since the 90’s. They are tried and true methods that remind us of our vulnerability and caution us to remain vigilant.
According to The Onion blog, SEA phished Onion employees’ Google Apps using 3 different methods:
- First, they sent out phishing emails to some Onion employees, but only a few so as not to raise suspicions, asking them to read a Washington Post story. Those who clicked on the link were redirected to a URL where they were asked to enter their Google credentials. One Onion employee fell for this stage of the attack.
- Once they gained access to the employee’s account, they used it to send emails to other Onion employees. Now they had their phishing emails coming from a known sender, increasing the odds someone would respond.
- Two employees entered their credentials and one of them had access to all of The Onion’s social media accounts, and the rest is history.
Read the entire blog
In their blog about these events, The Onion included some tips under “Don’t let this happen to you”, including, educating users to be wary of links that lead to login requests; isolating Twitter email addresses from other organizational email; using strong passwords; and having a way to reach your users outside the organization’s internal email accounts.
However, another critical component of effective security measures is technology that can mitigate risks before they turn into damaging breaches. EdgeWave has solutions that offer multi-layered protection against the risks associated with social media in the workplace as well as award-winning solutions that defend against email-borne threats. EdgeWave Social offers granular control over social media interactions that allows you to monitor and block content based on policies and rules you establish. You can use the templates included in the solution or write your own unlimited rules. EdgeWave’s ePrism Email Security includes proprietary Zero Minute Defense, which can detect and block spam, malware and phishing exploits in close to real time.