New vulnerabilities exposed in cyberwar attacks

From Details Emerge About Syrian Electronic Army’s Recent Exploits , on the Bits Blog of The New York Times, by Nick Bilton and Nicole Perlroth:

This week, after the parody site became the latest publication to have its Twitter account hacked by the Syrian Electronic Army, The Onion took a more serious note, explaining in a detailed blog post how the company’s account was hacked, and warning others how to avoid the exploit.

In the blog post, Onion engineers explained that the company’s Twitter account was hacked using a basic phishing exploit, where a false e-mail redirected people to a a fake message about explosions at the White House was posted on the Associated Press sitefake Web site which then asked for Google Apps credentials.

“At least one Onion employee fell for this phase of the phishing attack,” the company said.

Exposing details about an attack is not the normal approach companies take after they are hacked. The New York Times revealed earlier this year how Chinese hackers breached its systems, but that was an anomaly. Most companies fear what such disclosures will do to their reputations, or their stock price.

The Associated Press, for example, has remained silent after its Twitter account was hijacked and a fake message was posted about explosions at the White House.

In recent attacks on The A.P., Human Rights Watch, and the Onion, the group used sophisticated ”spearphishing”attacks to break into each organization. Employees received similarly worded e-mails, asking them to click on a fake news article that then redirected them to a fake Google Mail or Microsoft Webmail site where they were asked to re-enter their username and password.

The hackers used their login credentials to send e-mails to other employees from their inboxes until they found people with access to the organization’s social media accounts. Once inside those people’s inboxes, the hackers reset their Twitter passwords, giving them exclusive access to the account, until Twitter could suspend it. In the case of The A.P., a single Tweet was sufficient to nearly crash the stock market.

In the case of The A.P., a single Tweet was sufficient to nearly crash the stock market.

One hacker, who identifies himself only by his hacker handle Th3 Pr0, said the group attacked The A.P. because the Syrian Electronic Army believed the United States was “supporting the terrorist groups in Syria” and because the United States had seized its Web domains. Th3 Pr0 said the group was able to trick more than 50 A.P. employees to click on its malicious link, including a handful of the organization’s social media editors. Th3 Pr0 sent The New York Times several screenshots taken during the AP attack to prove the Syrian Electronic Army, or S.E.A., was behind it.

 

 

What inferences should we reach? Apart from security measures, perhaps a healthy dose of skepticism, and a desire to be right rather than first might make these attacks less damaging. To the extent that day traders rely on Twitter, market forces may resolve the issue without any assistance.