Another day, another cyberattack by the Syrian Electronic Army. This time the hacktivist collective targeted The Financial Times, making a nuisance of itself by taking over several of the company’s Twitter accounts, as well as changing the titles of posts on The Financial Times‘ blog posts to “Hacked by the Syrian Electronic Army.” While the actions themselves are annoying, one message in particular crossed the line when it sent readers to a video of an execution.
The Syrian Electronic Army has attacked a variety of media companies, including CBS, The Guardian, E! Online, and even The Onion. Often times, the hackers take control of the company’s Twitter account(s) and use it/them to post messages, some of them coming across as nonsense, others as fake news (such as Justin Bieber coming out of the closet), and sometimes things of a more serious nature, such as the link to a video execution on YouTube posted on one of the Financial Times’ Twitter accounts.
The Financial Times confirmed the hacks to The New York Times in an email, according to the latter company. While the company didn’t specify how the hackers gained access to their system, there’s a good chance it was accomplished the same way its other breaches have been achieved, which was detailed by The Onion earlier this month.
According to a blog post published on May 10, The Onion’s attack was the result of a rather conventional phishing scheme that involved sending links to a few of the company’s employees. The links purported to be of an interesting story, but instead took the recipient to a page requesting Google Apps login information. When someone falls for the ruse, their email is then used to try to message other workers for additional login information.
When someone in possession of the company’s social media accounts takes the bait, the hackers can then log into the account, change the password, and begin wrecking havoc. A similar attack was performed on The Associated Press, with one of the hackers revealing that 50 of the company’s employees had revealed their login information. Such attacks reaffirm that companies should train their employees on how to recognize phishing attempts, as well as taking measures to reduce the amount of damage that can result if someone does provide their credentials.