On May 6th, a hacktivist group going by the Syrian Electronic Army (SEA) hacked the Onion. After amusing us with a series of satirical fake-news articles and associated tweets, it seems the joke was on them for once.
However, while the Onion's Twitter accounts are a rather juicy target because of the number of followers (who nevertheless have limits to their credulity), the attack was so simple and repeatable that it makes one wonder how vulnerable we all are to similar attacks.
This article on Ars Technica lays out the details. A simple phishing email to Onion staffers linked to a bogus news Web site. Sure enough, someone fell for it, giving up his or her Google apps login. The hackers then sent staffers another phishing email from the compromised account, snaring two more staffers who provided their login credentials, one of whom had access to all the social media accounts.
We'd like to think Onion staffers are smarter than your average bear. They are worldly, intelligent people familiar with the ins and outs of social media and associated risks, right? Sure they are. What about your colleagues? Think about everyone in your organization. Would any of them click a benign link to a news article, and then provide login credentials? Would any of them fall for an email from a trusted email account in your organization?
The SEA's goal was to send anti-Obama propaganda. A minor inconvenience, considering Fox News has been doing the same for a decade now. But what about your organization? What damage could a successful phishing attack cause?