Hackers broke into the Facebook and Twitter account of the NY Post and a number of Twitter accounts belonging to its journalists, posting messages saying “The Syrian Electronic Army Was Here”.
Amongst the victims was Mike Puma, who covers the NY Mets baseball team for the newspaper.
Meanwhile, the pro-Assad Syrian Electronic Army posted a screenshot of what appears to be the administration panel for the New York Post’s SocialFlow account, used to manage social media activities.
Of course, if a hacker has control of your SocialFlow admin panel they can pretty much do what they like with your Facebook and Twitter account until you can get them evicted.
At about the same time as the New York Post hack was occurring, SocialFlow itself was suffering from security problems at the hands of the Syrian Electronic Army. Their website was defaced with the hacking group’s logo, and tweets published from SocialFlow’s Twitter account make clear that all was not normal for the social media company:
Later, both the New York Post and SocialFlow wrestled control of their accounts back from the hackers.
Although the newspaper has not seemingly officially acknowledged that the hack occurred, their social media partners were man enough to admit that one of their staff had their email account breached by hackers who had tricked them into handing over passwords in a phishing attack.
In the past, the Syrian Electronic Army has hacked into the Twitter accounts of a wide variety of media organisations including the BBC, ITV, The Telegraph, The Financial Times, The Guardian and Thomson Reuters.
The problem has become so big that back in April, Twitter’s security team warned potential targets about the hacking threat.
Chances are that the NY Post and SocialFlow fell victim to the Syrian Electronic Army via the group’s normal method of attack – emailing staff at one media organisation with a forged “sent” address in the email header, linking to what claims to be a breaking news story that the recipient should check out. Clicking on the link then takes users to a phishing site where passwords are stolen.
The lesson is simple – be very careful about links you click on in unsolicited messages, and always think twice about where you are entering your passwords.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.