

How the Syrian Electronic Army Hacked The Onion - srbloom
http://theonion.github.io/blog/2013/05/08/how-the-syrian-electronic-army-hacked-the-onion/

======
mjn
Google requiring you to enter your password at random times for random things
(e.g. to read a Google Groups message) seems like one contributing factor,
since people treat those prompts as routine noise, and are less likely to
investigate such a common occurrence too deeply.

~~~
shloime
I agree with this point. I retype my user information, even while logged in,
at least a few times a week.

~~~
mentat
That's odd because I never do. I'm using two-factor and I only have to retype
login information when that expires (approximately 30 days I believe.) Also,
someone did phish my Google cookies and Google immediately shutdown my account
and made me type in something from a text to reactivate my account. Overall
I'm pretty happy with both of those circumstances.

~~~
mjn
Good point; I wonder how many people take that approach. I personally tend to
log out of Gmail after I read my email, which signs me out of my Google
Account fairly regularly. But maybe that's an unusual use pattern.

~~~
5555624
I always log out of my Gmail account when I am done reading my e-mail, as
well. Until recently, when I've come across several people who stay logged in
all the time, I thought that was the 'normal' use pattern. Then again, I'm old
and "back in the day" you always logged out of an application/system when you
were done.

------
leeoniya
> "Please read the following article for its importance"

This immediately hit my brain's bayesian classifier like a ton of bricks. Or
as the saying goes, "If spammers ever learn proper English, god help us all."

* the English _is_ actually proper, but the wording is unusual

~~~
phillmv
It doesn't work for spear phishing, but for wide-ranging hits the broken
english is often on purpose:
<http://research.microsoft.com/pubs/167719/whyfromnigeria.pdf> ::
[http://www.onthemedia.org/2012/aug/31/why-nigerian-email-
sca...](http://www.onthemedia.org/2012/aug/31/why-nigerian-email-scams-
work/transcript/)

tldr: you have a lower number of leads but a higher conversion rate from those
that do respond.

~~~
meowface
I can see the logic here, but for something that's a one-and-done "click this
link and type in your credentials," I honestly think good spelling would add
to the legitimacy. So in The Onion's case I think it's just a matter of the
attackers not being good at English; if they were, I feel their success would
increase a bit.

------
pserwylo
I often think about creating a browser and email plugin/extension to help with
this:

\- Look at all link tags.

\- If it looks like a URL (has a scheme at the beginning, or something which
resembles a hostname, or a bunch of path or query parameters), inspect the
actual link.

\- If they have different hosts, warn the user, and perhaps give them the
option of just visiting what the contents of the link tag say (rather than the
href attribute).

\- Maybe do some magic with onclick events too.

I don't care that it wont be right 100% of the time. I don't care that some
times I'll be warned when in fact it is perfectly fine. What I do care about
is that when I click a link, I go to that link.

It would be quite helpful for attacks like this, but I'm also interested from
a privacy perspective.

Google, Facebook and others go to great lengths so that when you mouse over a
link, it looks like it will take you directly to the webpage it says it will,
but actually redirects via themselves first. I often find myself copying a url
from Facebook and pasting into the address bar, because I don't want them to
know which articles I read (yes, I know, if I'm that paranoid, I probably
shouldn't use Facebook, blah, blah).

~~~
danielweber
My brain is a bit fried, but what about a rule that "if the text contained in
the <a> tag is a FQDN, it should match the FQDN in the href exactly"?

What are the false positives?

~~~
plorkyeran
Things like Google results that go through a redirector for click tracking.

~~~
yebyen
So, another practice that should be highlighted and made to stop.

------
tptacek
You can imagine the tech team at the Onion feeling a race against time before
their editorial team managed to so infuriate the attackers that the situation
got out of control.

~~~
srbloom
Accurate. On one hand, we didn't want to fuel the fire, but on the other, that
inflammatory article forced the attacker to reveal their hand. So it was
actually to our benefit, strangely enough.

------
cantlin
Broadly speaking this is just what happened to us at The Guardian.

Our major takeaways have been a drive to 2FA-by-default for all users, and a
move to managing social accounts through intermediaries like HootSuite.

------
ben1040
One more reason to use 2FA on your Google Apps account.

~~~
RegEx
2FA is great, but it wouldn't save you here if you ask it to remember you for
30 days.

~~~
ben1040
It would have stopped someone from using a phished GApps credential from
logging in to Google using it, though.

It sounds like one prong of the attack was to gain access to one employee's
email, then use that account to send phishing emails to other employees. 2FA
would have stopped that.

~~~
err_badprocrast
I wonder if it would be possible to phish 2factor while you're at it...
Something like:

1- get target to enter google credentials

2- log into target's account using those credentials with a proxy/controlled
IP that shows up nearby in geoip DBs

3- display a credible message, asking for 2factor code (something something
DHCP something something more buzzwords - dummy mode on)

Any reason this wouldn't work?

------
DigitalJack
This is almost verbatim to the spear phishing email that allowed the AP
twitter account to be compromised.

[http://jimromenesko.com/2013/04/23/ap-warned-staffers-
just-b...](http://jimromenesko.com/2013/04/23/ap-warned-staffers-just-before-
ap-was-hacked/)

------
jrochkind1
An interesting story.

> The email addresses for your twitter accounts should be on a system that is
> isolated from your organization’s normal email. This will make your Twitter
> accounts virtually invulnerable to phishing (providing that you’re using
> unique, strong passwords for every account).

That doesn't make a lot of sense. Sure, now your twitter account is somewhat
protected against phishing (I think 'invulernable' is a bit too confident,
even with 'virtually' added as qualifier).

But what about any other possible account? So now you say every single other
possible account related to your business should be associated with an email
address isolated from normal email, to protect them from phishing. Right?

Okay, so what makes is the 'normal email' again? You've just decided to split
all your email amongst as many disparate systems as possible, to protect
against phishing... which I guess it sort of does, but at cost of so much
confusion that you've probably opened yourself up to something else.

Unless twitter alone is so high value to protect in this way?

Or am I missing something?

~~~
csinchok
Our point there was this: the type of phishing that caught us was pretty
casual, and aimed at users who weren't very technically sophisticated, and
those users shouldn't have had access to our twitter accounts.

The proposed solution is certainly pretty drastic, but when it comes to
securing twitter accounts, there aren't a lot of options. The safest one I can
see is to connect the accounts to an email address that isn't part of our
google apps organization, as that is the common attack vector here.

Our twitter accounts _are_ a high value resource, and are pretty hard to
protect. We have almost 5 million followers, and two factor authentication
isn't even an option. Once hackers change the email address on the account, we
lose all access until we can get in touch with someone at Twitter (which takes
a while, even for us).

~~~
mkm416
There's a potential non-technical problem with that solution, though - what
happens when the person who controls that email address leaves the company,
especially if they leave on bad terms? I've had to deal with figuring out the
mystery email that was connected to a corporate social media account, and it
was a hellish bureaucratic nightmare to find the social media intern from
three summers ago who had the password for the throwaway email. If it had been
an email from our corporate domain, it would have been a lot easier to gain
control of it again.

(What I would have given for a physical, printed list of social media
accounts, associated emails, and passwords hidden in a file drawer somewhere.)

------
bjhoops1
Wait, did did The Onion actually get hacked? I just assumed that was a joke.
Now I'm confused...

~~~
mafro
Notice that the Onion Tech Blog is an entirely new site with a single post.
Presumably because if this was posted on theonion.com no one would've believed
it.

~~~
bjhoops1
That's wild. Yeah, I read both of the Syrian Electronic Army articles, but it
never occurred to me they had actually been targeted. That makes a "SEA has
some fun before their inevitable deaths" a bit cruel perhaps. Since that could
very well happen.

------
dsaber
I assume the email was in HTML where the link's href was pointing to something
different than what the text is. Couldn't gmail easily detect this discrepancy
and warn the user that this is potentially a phishing attempt?

------
Groxx
I'm not sure what happened here:

> _... which asked for Google Apps credentials before redirecting to the Gmail
> inbox._

followed by:

> _Coming from a trusted address, many staff members clicked the link, but
> most refrained from entering their login credentials._

Does this mean "[asking] for Google Apps credentials" should be read as "put
in their Google username and password", or should it be "gave the site OAuth
access to their Google account"?

I'm a bit curious, because it _sounds_ like they set up a Google Apps app that
sent phishing emails from the first-round-phished accounts to others in the
company, so it looked more legit, but this second-round email was _not_ the
same as the first. I haven't heard of that trick before, but it's clever, and
probably hard to work around.

But if they actually entered their user/pass, there's an easy solution. USE A
PASSWORD MANAGER. Kills phishing dead, since it won't auto-fill on the wrong
domain.

------
mseebach
> The email addresses for your twitter accounts should be on a system that is
> isolated from your organization’s normal email. This will make your Twitter
> accounts virtually invulnerable to phishing (providing that you’re using
> unique, strong passwords for every account).

This, of course, is an artefact of the well-known, old problem of your email
being the single point of failure for your entire online identity.

Google might be able to do something to help here: Surely, they can detect
with high reliability if a given email contains a password reset link, and
trigger an extra challenge. I'm not sure what it should be, as obviously the
account password isn't going to cut it. It could really just be a very short
PIN-style code for opening "sensitive" email.

------
wyck
I thought it would be something interesting given the title..nope just
something you see in your email everyday .. Maybe the Onion's next move should
be to invest with a Nigerian prince.

I will forward this post to my grandfather with "Don’t let this happen to you"
in bold.

/onion

~~~
DigitalJack
When an email looks like it came from someone you know, and says something
like:

"hey, check this out: <http://blah.com> "

and has their name at the bottom, it becomes very easy to make a mistake.

------
diziet
It's really cool to see The Onion hosting on github and using Octopress for
blogging.

------
cjensen
Yet another reason to use a password plugin like 1Password or Keepass or
whatever: because they memorize password-per-domain, they do not attempt to
fill in a password when the domain is merely similar to a known domain.

------
swombat
It's good to see that the Syrian regime has its priorities well thought
through (assuming this has anything to do with Syria). First, hack the Onion.
Then, fight off the rebels.

------
kcorbitt
I got several paragraphs into this writeup before I realized it wasn't just an
Onion spoof of the once-a-day "anatomy of a hack" articles that come through
here. :P

------
danso
The points in this blog post are good...but how about something more basic:
__Never log in after clicking through an email link __

~~~
CyberDroiD
Why would you ever click on an e-mail link?

No wonder! I was wondering what the problem was, and it appears to be PEBKAC.

------
quackerhacker
don't credit them and say this is a hack....it's just phishing.

------
CyberDroiD
I think it is _hilarious_ that people still click on links in e-mails.

Just go to the website directly via a URL. Don't ever click on links in
e-mails. Once you learn this, you're much safer.

~~~
dmdeller
People do what they're told. Or more accurately, they do the last thing
they're told.

The IT department yells at them not to click any links in emails. But then,
every legitimate web site also still routinely sends emails instructing their
users to click links within.

