Syrian Electronic Army's AP Hack Just The Latest Phishing Attack On A Major News Organization

04/23/2013 05:25 pm ET | Updated Apr 23, 2013
Twitter: AP

A hacker group calling itself the Syrian Electronic Army took credit for hacking the Twitter account of the Associated Press Tuesday and sending out a fake tweet about an explosion at the White House that injured President Obama. The tweet, which was re-tweeted thousands of times in minutes, had widespread repercussions, causing the Dow Jones Industrial Average to drop sharply before it quickly recovered.

The attack showed how hackers are using so-called "phishing" techniques to compromise Twitter accounts belonging to some of the most respected news agencies in the world, renewing questions about the social network's security measures.

The group, which has been called "a collective of pro-Assad hackers and online activists" working with support of the Syrian regime, has taken credit for hacking the Twitter accounts of several other news agencies in recent weeks, including NPR, Reuters, BBC and Al Jazeera.

Twitter has long tried to protect users against phishing. Back in 2009, the service warned users who received emails that redirected them to a site that looked like Twitter.com to "look closely at the URL because it could be a scam."

In a blog post in February, Twitter unveiled a new technology that it said "makes it extremely unlikely that most of our users will see any email pretending to be from a Twitter.com address."

"There's no shortage of bad actors sending emails that appear to come from a Twitter.com address in order to trick you into giving away key details about your Twitter account, or other personal information," the company said.

But an AP story about Tuesday's attack said it was "preceded by a phishing attempt on AP's corporate network." The AP's Mike Baker tweeted that the hack came less than an hour after AP employees "received an impressively disguised phishing email."

Such attacks have become increasingly common. A report issued this week by Verizon found that more than 95 percent of all attacks linked to hackers believed to be working on behalf of a foreign government used phishing techniques "as a means of establishing a foothold in their intended victims' systems."

George Waller, co-founder of Strikeforce Technologies, a security firm, said once victims click on this type of malicious email, hackers can use keylogging software to see everything they type, including the usernames and passwords of their Twitter accounts.

And phishing is not the only way hackers can compromise Twitter accounts. On its site, Twitter details other ways that accounts can get hacked, such as via third-party apps that access Twitter.

Tuesday's fake tweet from the AP's account prompted a flurry of tweets about one potential solution to securing users' accounts: enabling two-step authentication.

The security measure, already available on Facebook and Google applications, requires users to type in usernames and passwords then enter a verification code that is sent as a text message in order to complete the sign-in process. That way, a hacker would need to not only steal victims' usernames and passwords, but also their phones.

A Twitter spokesperson did not return a request for comment Tuesday about why the social network has not enabled two-step authentication.

UPDATE: 6:00 p.m. -- An FBI spokeswoman told The Huffington Post Tuesday that the agency is investigating the hack of AP's Twitter account.

CONVERSATIONS