On Monday, the "hacktivist" group Syrian Electronic Army (SEA) briefly took over the Twitter account of the satirical news publication The Onion, posting a series of anti-Israeli "joke" stories and an anti-Obama "meme" image. The Onion returned fire with its own joke story, "Syrian Electronic Army Has A Little Fun Before Inevitable Upcoming Death At Hands of Rebels."

Putting all jokes aside, The Onion's technology team yesterday made a post describing how the SEA had managed to compromise the accounts of a number of employees and take control of the Twitter feed—a series of phishing attacks that took advantage of the organization's use of Google Apps.

According to The Onion's Chris Sinchok, the attack started as a series of phishing e-mails to Onion staff members, which included a link to what appeared to be a Washington Post article. The URL was actually a link to a hacked website that redirected to a fake Google Apps login page. "At least one Onion employee fell for this phase of the phishing attack," the security team reported in the blog post. That employee's credentials were used to gain access to the employee's Google Apps e-mail account, which was then used by the attackers to send further phishing attacks from an internal Onion address, using a link to the same fraudulent Google Apps login page.

Devil in disguise

"Coming from a trusted address, many staff members clicked the link, but most refrained from entering their login credentials," the Onion team said in their blog post. "Two staff members did enter their credentials, one of whom had access to all our social media accounts."

When the breach was discovered, the Technology team sent out an e-mail telling all staff members to immediately change their passwords. That e-mail was copied by the SEA attackers from another compromised e-mail account, adding the phishing attack as a "password reset" link. That third phish yielded them two more sets of credentials, one of which "was used to continue owning our Twitter account," the technology team said.

These embarrassingly simple methods were apparently used in similar attacks by SEA on the Associated Press, the Guardian, and E! Online over the past few weeks. "All of these hacks so far have been a result of simple phishing or possibly dictionary attacks—all of which are preventable with a few simple security measures," the Onion tech team wrote.

The first isn't really all that simple—teaching users not to fall for suspicious links that ask them for their logins. Keeping social media accounts connected to e-mails other than normal internal e-mail addresses and using a separate password-protected application to manage social media accounts would also have prevented the hack, or at least made it more difficult. And the Onion team also suggested having some out-of-band way to communicate with staff about breaches other than e-mail to prevent attackers from using alerts as a tool to extend their breach.

Dubious claims of a SCADA hack

On the heels of the Onion hack, the SEA also claimed to have taken control of a SCADA system for "main infrastructural systems" in the Israeli city of Haifa. The announcement of the hack included a PDF file with screenshots of what appears to be an industrial control system management console in Windows XP (in Hebrew) for some sort of pumping station. The claim, published on May 6, said the attack was retribution for the bombing of what the Israeli Defense Force claimed was a shipment of missiles from Iran to Hezbollah in Lebanon.

"It's hard to say how legitimate the whole thing is," said Wolfgang Kandek, Chief Technology Officer of security firm Qualys. "Why would you announce that you had hacked a SCADA system and then prove it to give the defenders a chance to lock it down and clean it up? If you wanted to do something, you would keep it secret."

If the hack did happen, it appears to have been accomplished through gaining access via remote control software. Use of remote control software to give engineers access to industrial control systems is not uncommon, and Internet-facing remote access tools are a common target for hackers since they can be scanned for and frequently have poor (or even default) passwords in place—as was the case in the point-of-sale system hacks of Subway franchises.