Comedy website The Onion has revealed the phishing emails that led to the successful compromise of its official Twitter account earlier this week.
A group called the Syrian Electronic Army, which apparently supports President Bashar Al-Assad, claimed responsibility for the attack. Someone claiming to be a member of the group told The New York Times that the attack was in response to a parody story by the site about Al-Assad.
Today, the Onion's technology published emails that were sent to journalists in the run up to the attack.
They contained a link which appeared to reader as though it directed to a page on the Washington Post. In fact, the link directed a site that prompted the user to enter their Google Apps login details.
"These emails were sent from strange, outside addresses, and they were sent to few enough employees to appear as just random noise rather than a targeted attack," the team wrote on its blog. "At least one Onion employee fell for this phase of the phishing attack."
One that employee's Google Apps account had been compromised, they resent the malicious link to other employees, but this time from a trusted email address. Another two Onion staff members entered the Google logins when prompted.
The security detected the attack at this point and sent an email prompting employees to change their usernames and passwords. But the attacker saw this email, and sent another, duplicate email, again linking to the malicious link.
This final wave successfully harvested three more account log-ins. "One of these accounts was used to continue owning our Twitter account," the team wrote.
The Onion's tech team gave some advice to other organisations hoping to avoid the same fate. They recommend user education, using a separate email system for Twitter log-ins, using an intermediary app for posting to Twitter, and having a way to communicate to employees outside the official email system.
The Syrian Electronic Army has previously targeted The Guardian, the BBC and the Associated Press.
Last month, it successfully compromised the AP's Twitter account and posted a bogus Tweet about explosions in the White House. That triggered a "flash crash" on the US stock market after traders reacted to the 'news' by selling shares.