Twitter has warned media companies that attacks on their official Twitter accounts are liable to continue, after Britain’s Guardian newspaper became the latest high-profile news site to fall victim. Twitter says the attacks are the results of spear-phishing – and has sent out guidelines to help companies resist such attacks.
Twitter sent out an email to news sites which said, “There have been several recent incidents of high-profile news and media Twitter handles being compromised. We believe that these attacks will continue, and that news and media organizations will continue to be high value targets to hackers. These incidents appear to be spear phishing attacks that target your corporate email.”
The email also offers detailed guidelines on dealing with such attacks, saying, “Talk with your security team about ensuring that your corporate email system is as safe as possible. Strong security practices will reduce your vulnerability to phishing. Designate one computer to use for Twitter. This helps keep your Twitter password from being spread around. Don’t use this computer to read email or surf the web, to reduce the chances of malware infection.”
David Harley, Senior Research Fellow at ESET, warns that these steps may not be enough. “Not all account hijacks are based on phishing and spear-phishing. Sometimes tweets are sent out because an unencrypted session is hijacked and while this may not be the case in this instance, it’s sometimes convenient for service providers to assume that security breaches are the fault of the user.”
“There are limits to what Twitter (or the user) can do about this issue,” says Harley. “However, the risk can be reduced by browsing from VPN connections and/or accessing sites via SSL, but that’s not always convenient. What might also help is not having a Twitter account running permanently in the background, but that may not be convenient for many Twitter users either.”
“It certainly can’t do any harm to increase the user’s resistance to social engineering via spear-phishing by warning them of the type of lure that may be used to persuade them to hand over their credentials by logging in to a fake site (for example), though I don’t know what kind of social engineering may have been used in this case.”
Mark James, technical team leader, ESET, said: “The media industry is likely to receive a very high amount of fake and phishing emails about real and bogus stories every single day. The only way to make [these attacks] harder is definitely through user education.”
Twitter accounts including GuardianBooks and GuardianTravel were affected by the latest round of hacks. The newspaper said that the accounts were targeted by a group calling itself the Syrian Electronic Army (SEA). Several official BBC accounts were hacked earlier this year by the same group.
The attack comes in the wake of a false Tweet sent by hackers from an official Associated Press Twitter account this month, which sent stock markets tumbling in America. The Tweet, posted by hackers to the official @AP account, claimed that the White House had been bombed. It caused panic, wiping 143 points off the Dow Jones in minutes, with one trader describing events as “pure chaos”.
In the wake of the attack, Twitter was reported to be testing two-factor security systems. ESET’s David Harley explains the benefits of two-factor authentication in a post here.