10 May 2013
During the initial stage, the cyber-hacktivist team sent a regular phishing message to a number of staffers, advising them to read a piece allegedly posted on the Washington Post blog. Instead of taking them to the blog, the URL redirected the victim to a Google Apps phishing page, where they had their e-mail credentials stolen.
As detailed in the post-mortem report on the tech team’s blog, once the attackers had access to valid company e-mails, they sent the phishing message as a password reset warning, claiming at least two more victims.
“After discovering that at least one account had been compromised, we sent a company-wide email to change email passwords immediately. The attacker used their access to a different, undiscovered compromised account to send a duplicate email which included a link to the phishing page disguised as a password-reset link,” reads the blog post.
In the process, they managed to seize control of an account used to manage The Onion’s Twitter account. According to a brief casualty report, it appears the hackers took control of at least five accounts.
The whole incident would have been avoided if staff members could have spotted a simple phishing attack and refuse to hand over their credentials to the attackers.