Satirical news site The Onion has a reputation for fooling people with its outrageous fake headlines, but earlier this month, it was The Onion’s turn to get tricked. It may not be the Associated Press, but The Onion’s Twitter feed has more than 4 million followers, and that’s undoubtedly part of why the SEA targeted it in another phishing scam that led to that account getting compromised. As it had previously, the SEA used the opportunity to post its own damaging tweets before order was restored (although one questions the wisdom of crafting fake posts for an organization known for being sarcastic anyway).
On its official tech blog, The Onion gave a detailed description of how the hack took place.
- First, the SEA sent emails with disguised links to different members of the organization— these links redirected users to a fake prompt to enter login information. Although the blog reports that most didn’t fall for the scam, at least one apparently did, and that was all it took.
- The hackers then used that employee’s account to send the phishing email to more Onion staff members. That email, seeming more credible coming from a trusted account, got a lot more employees to click.
- Two of those employees fell for the request to enter login information, but one of those two had access to all of the Onion’s social media accounts.
- Using that login information, the hackers had the key they needed to start tweeting fake information as The Onion.
- Even after The Onion adjusted its password, the SEA was able to strike again and phish a few more employees, despite efforts to kick out the intruders.
A Crash Course in Anti-Fraud Phishing Training
- If you don’t recognize the sender, or are suspicious, don’t click on any links in emails or social media posts. If it comes from an unidentified source or seems suspicious, everyone in your network not to click.
- Use the Hover Technique: when you hover over the link or the image with an embedded link, does the URL match the place where you think you are going? For example, if it looks like you should be going to The Washington Post but when you hover over the link it reads something entirely different, you know that you will likely be redirected to a website that will either request that you fill in confidential information or will install malware on your system.
- Confirm the supposed source. If a link looks dodgy but comes from a trusted email contact like a co-worker, send a separate message in reply or call to confirm.
- Use a social media aggregator app like HootSuite, as those programs allow you to restrict user-based access and control the damage more quickly. It also keeps the hacker from taking over total control of the account.
- Don’t use company email addresses to register your Twitter or other social media accounts. By using a separate email (e.g., a Gmail account setup only for the purpose of that one social networking account), you quickly limit the damage creep of registering everything with a single, organization-based email.
- Make sure you are using long, strong and site-specific passwords for every account).
- Move site to a new web address every few minutes.**
- Reduce interest in your website by avoiding popular subjects.***
- If you receive an email asking for your password, dig deeper by entering information.****
[**This is impossible.]
[***This is inadvisable if you want anybody to read your site.]
[****No, no, no, no, no.]
Luckily, The Onion caught the breach fairly quickly before too much damage was done. It was then in a unique position to respond and was soon back to doing what it does best—cracking jokes about the incident. Without anti-fraud training, your company might not be so lucky and it won’t be a laughing matter.