Satirical news publication The Onion had its Twitter account hacked by the Syrian Electronic Army recently. Like organizations such as the Associated Press, which suffered similar compromises in the past, the attack was successfully pulled off using phishing techniques.
To warn others, the tech team wrote a lengthy blog entry detailing how the phishing attack was done. You can read the full details here, which outlined how it took place using three separate methods that eventually compromised five different employee accounts.
As noted by PC Magazine, one of the phishing messages “implored The Onion's reporters to ‘Please read the following article for its importance,’ with a link to what appeared to be a Washington Post story. The link, in fact, eventually redirected users to a bogus Google URL, which asked for Google Apps credentials.”
The blog entry also offered a number of steps on how businesses can prevent similar attacks. Given that The Onion qualifies as a small and mid-sized business, I though it would make perfect sense to pick the most pertinent tips as well as explain why they would work for SMBs seeking to better protect their social media accounts.
Educate users on phishing
The first advice offered is to ensure that employees are properly educated on the dangers of phishing. Regardless of the purported origins of an email message, users should be suspicious of all URL links, especially if a login is ultimately required.
I have long advocated that computer users be equipped with a basic level of security knowledge to protect them against social engineering attempts. As phishing emerges as the increasingly popular choice for cyber attacks, users should be updated with information about the new threat vectors and techniques.
Use a different email for official Twitter account
The email addresses for your Twitter accounts should be on a system that is isolated from your organization’s normal email, advised the tech team of The Onion. A special email address created specifically for managing social media accounts should work too.
The rationale here is simple and inescapable: Using a different email for a high-value social media account offers an additional layer of defense by preventing attackers from resetting its password from a compromised company account.
Manage Twitter activity using a third-party app
Finally, The Onion’s tech team recommends that businesses consider managing their Twitter activity through “an app of some kind, such as HootSuite.” Though it may appear counterintuitive, doing this actually frees users from having to regularly key in these passwords, or even know what it is -- the latter scenario makes it impossible for passwords to be phished.
While hackers gaining access to these third-party services can still be disastrous, it is still a much easier problem to rectify than if a hacker gains total ownership of an account and change the account password. The latter can take an unacceptable amount of time for an SMB to reassert its legitimate ownership of the hijacked account.
Recent reports have indicated that Twitter is working on two-factor authentication. As security is increased for various online services in the near future, expect hackers to have a harder time with phishing attacks. Until it materializes though, SMBs are well advised to take note of the above steps to protect their social media accounts.