Online news site International Business Times has revealed that the notorious Syrian Electronic Army hacking group had successfully breached its security, and removed a story that was embarrassing to the country’s regime.
The Syrian Electronic Army, a collective of pro-Assad hackers who have made a name for themselves by claiming the scalps of various media organisations in the last couple of years, apparently took offence to a news article entitled “The Syrian Army Is Shrinking, And Assad Is Running Out Of Soldiers.”
In its place, the SEA published a screenshot of the International Business Times‘s internal content management system and a message warning that further “false information about Syria and the Syrian army” would result in the entire site being deleted.
Hacked by the Syrian Electronic Army.
This time we only deleted the article that content false information about Syria and the Syrian army.
Next time, we will delete all your website.
So, the obvious question is – how did the Syrian Electronic Army do it?
Well, if the hacking gang’s past escapades are any indication chances are that at the centre of this story is a phishing attack.
The Syrian Electronic Army may have had a great deal of success hacking into media organisations around the world (past victims have included Forbes, The Guardian, The Telegraph, the Washington Post, and Thomson Reuters amongst many others), but it is not known for its sophistication.
Its typical modus operandi is to send a forged email to an organisation (perhaps pretending to be a work colleague, or a reporter at a rival news agency) containing a link.
If the link is clicked on, the targeted individual will usually be taken to a webpage which attempts to phish login credentials from them.
In this rudimentary way, the SEA has managed to hijack the social media accounts of umpteen organisations that really should know better and (more recently) opened the doors for the hackers to also gain access to internal email systems and website content management systems.
ReadWrite reports that IB Times staff have been warned to be wary of clicking on any links in emails apparently sent by IB Times co-founder Johnathan Davis
Whether this means Mr Davis’s email account was actually compromised, or whether the Syrian Electronic Army was simply using his name and email address on forged emails to dupe staff, is unclear.
But one thing is clear. Two-factor authentication (2FA) would have made life much more difficult for the hackers.
If you are a company which allows staff to remotely access systems such as email or a web content management system, you should be seriously considering implementing 2FA to reduce the chances of your organisation being the next one to fall victim.
2FA can’t stop your users from being phished, or passwords being stolen, or even your staff unwisely using the same passwords in multiple places. But it can make a difference – because if you have 2FA in place, the password alone won’t be enough for the attackers to gain access to your systems.
That’s not to say that 2FA is infallible. Determined online criminals could use “man-in-the-middle” techniques to grab a randomly-generated passcode alongside a user’s password and username, but it makes things much more complex for them and prone to failure.
And if a group like the Syrian Electronic Army thinks it’s too tricky to break into your organisation with their simple techniques, chances are that they will move on to another, easier to hack, firm instead.
There’s a good reason why more and more services offer support for two-factor authentication. There’s no good reason why you shouldn’t be making use of it.