The Onion, a satire publication known for its humorous too-close-to-home headlines, was hacked on Monday. The group taking credit for the attack, the Syrian Electronic Army (SEA), managed to do so through common phishing attacks.
It wasn't the first time the group has hacked a major news-oriented organization. The group has also hacked the Twitter accounts of The Associated Press, the BBC and CBS, among others. The pro-Syrian government SEA, as it has done with other news organizations, posted several anti-Israeli and anti-rebel messages to The Onion's Twitter feed.
On Wednesday, The Onion's tech team carefully explained how the SEA compromised the publication.
The hackers started sending Onion employees emails with corrupted links in early May. The emails claimed to link to a Washington Post article relevant to The Onion, but they didn't. The links redirected employees to a corrupted website asking employees for their Google Apps credentials. At least one Onion employee fell for the attack.
With that employee's credentials the SEA sent another email, this time from an Onion email account, to other staff members. Believing the email was from a trusted source, Onion staff members followed the link contained within the email. The link again asked for login credentials, which caused many employees to turn away.
But two employees didn't turn away and entered their credentials. One of those two staffers had access to all of The Onion's social media accounts.
At this point The Onion's IT team discovered one of the compromised accounts, and sent a company-wide emails asking employees to change their passwords. In turn, the SEA sent another email, emulating the one sent by The Onion's IT team, with a link to a page allegedly letting staffers to change their password. That email excluded the IT team, and went undetected.
When The Onion's staff published articles mocking the SEA, the SEA began publishing editorial emails on its Twitter feed. At this point the IT team decided to force a password reset on each staff member's Google Apps account.
All told, five accounts were compromised by the SEA. The Onion's IT team published a short list of tips to avoid a hacking attack like one done by the SEA. The tips include being educated about common phishing techniques, using third-party applications, like HootSuite or TweetDeck, to post tweets and using an email address separate from a given organization's normal email for a Twitter profile.
"Apart from increased security on sites like Twitter, there seems to be little that can be done to prevent the Syrian Electronic Army's attacks," Jillian York writes for Slate. "Though some members may be located outside of Syria-one Facebook group calls itself the Australian 4th Brigade of the SEA-and could thus be prosecuted under local laws, there is not much that can be done to go after hackers inside of Syria, particularly given the regime's apparent support."
Syria's civil war, currently ongoing, has divided the country between pro-government forces, rallying behind President Bashar al-Assad, and collection of rebel forces. The conflict has claimed well over 70,000 lives in its two years, and threatens to evolve into a regional conflict.