How the Syrian Electronic Army Hacked The Onion
CREDIT: Onion Inc.
The Syrian Electronic Army has been busy lately. The group, which has unofficial ties to the Syrian government, has hacked several news sites in the past few weeks.
This week, the SEA hit a different kind of outlet: the satirical news website The Onion, which, unlike the SEA's other recent targets, had no qualms about publicly fighting back—or sharing how it was done.
The attack began on May 3, when several Onion employees received emails that seemed to link to the Washington Post but which, if clicked, actually redirected to a site that prompted users to sign in using their Google Apps credentials. Anyone who did so was essentially handing over their usernames and passwords to the SEA.
This type of attack is called phishing, because it involves baiting users with false login pages and hoping people will "bite" by entering in their confidential data.
With the passwords acquired from this first attack, the SEA was able to use an Onion employee's email address to "phish" even more employees, who clicked on the bait links and entered their information because they thought it had been sent by a co-worker.
The accounts acquired in this phase of the attack gave the SEA access to The Onion's Twitter accounts, where they posted messages like the poorly spelled "Syrian Electronic Army was Heere."
Here's where the fun starts: Once they realized what was happening, The Onion wasted no time in writing about it. The SEA took offense to one piece in particular, "Syrian Electronic Army Has A Little Fun Before Inevitable Upcoming Deaths At Hands Of Rebels," for obvious reasons.
In retaliation, the SEA used The Onion's Twitter account to post a series of anti-Semitic and pro-Syrian government messages.
[See also: 10 Tips for Staying Safe on Twitter]
At this point, The Onion's tech team stopped trying to identify the compromised accounts and simply forced a hard reset of all company passwords and login credentials, thus ending the SEA's control.
According to the tech team, the attacks originated from the IP address 220.127.116.11, which is also where the SEA hosts a website.
On April 23, the SEA took control of The Associated Press' Twitter account via similar means, tweeting "Two Explosions in the White House and Barack Obama is injured." The Dow Jones plummeted before this alarming tweet was revealed to be false.
The Onion's writers remained in good humor after their attack, posting a follow-up piece titled "Onion Twitter Password Changed to OnionMan77: 'That Ought To Do It,' Company Sources Confirm."
The joke is that "OnionMan77" is a terrible password. The fact that it uses common English words means it's vulnerable to what's called a "dictionary attack," when a computer program tries to crack a password by systematically entering in every word in the dictionary. That's why it's safer to use seemingly random combinations of letters, numbers and special characters in your password.
The other lesson to take from the SEA's recent attacks is to always be skeptical of links that ask for login credentials, even if they come from what appears to be a trusted source.
You can read The Onion tech team's full report here.