Following the Syrian Electronic Army's recent takeover of the Twitter feed for the satirical newspaper The Onion, members of the newspaper's tech team have published a blog post explaining how the takeover was accomplished (h/t Sophos).
Around May 3, Onion employees began receiving phishing e-mails that appeared to link to an article in the Washington Post. Instead, the link redirected the victim to a compromised page that asked for the user's Google Apps credentials before redirecting them to their Gmail inbox.
"These emails were sent from strange, outside addresses, and they were sent to few enough employees to appear as just random noise rather than a targeted attack," the post states. "At least one Onion employee fell for this phase of the phishing attack."
The attackers then used that employee's compromised e-mail account to send the same e-mail to other staff members. Because the e-mail came from a trusted e-mail address, more staff members clicked on the link this time, and two entered their login credentials. One of those users had access to all of The Onion's social media accounts.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
Still, the newspaper's tech team responded quickly by sending a companywide e-mail asking all users to change their passwords -- but the attacker immediately used another compromised account to send a duplicate password-reset e-mail that contained a link to the same phishing page once again.
"This dupe email was not sent to any member of the tech or IT teams, so it went undetected," the post states. "This third and final phishing attack compromised at least 2 more accounts. One of these accounts was used to continue owning our Twitter account."