Would You Click the Link in This Email That Apparently Tricked the AP?

The Citizen's Guide to the Future
April 23 2013 10:11 PM

Would You Click the Link in This Email That Apparently Tricked the AP?

AP Twitter account suspended
The AP's Twitter account was suspended after hackers posted a tweet claiming that President Obama had been injured in an explosion at the White House.

Screenshot / Twitter

Hacking a prominent Twitter account, like the one that the Associated Press uses to broadcast breaking news to some 2 million followers, sounds like it would be hard. Apparently it isn’t.

Will Oremus Will Oremus

Will Oremus is Slate's senior technology writer.

At least, it doesn’t seem to be hard lately for a rogue hacker outfit that calls itself the Syrian Electronic Army, which claimed responsibility for Tuesday’s AP tweet-jacking. The SEA, which seems to have a pro-Assad agenda though it claims it isn’t affiliated with the Syrian government, has been racking up successful hacks at an alarming rate in the past few months. And the roster of reported victims, as collected by Reuters earlier today, reads like a checklist of the most credible and influential English-language news organizations: the BBC, NPR, CBS' "60 Minutes," Reuters News, and now the AP.


It wasn’t immediately clear whether the hackers obtained the AP’s password by installing keystroke-logging malware on employees’ machines or by tricking them into entering their credentials on a bogus site. But an internal AP email, posted on Jim Romenesko’s media blog, gives us a good idea as to how they might have gotten in the door: by spear-phishing. That means targeting specific people with legitimate-looking emails designed to trick them into giving up sensitive information. In this case, several AP employees received an email shortly before the Twitter hack that appeared to come from one of their colleagues. Here’s what it looked like, according to Romenesko’s source:

Sent: Tue 4/23/2013 12:12 PM
From: [An AP staffer]
Subject: News


Please read the following article, it’s very important :


[A different AP staffer]
Associated Press
San Diego
mobile [removed]

Notice that it lacks most of the telltale signs of a scam. The “from” field contains not some unknown name, but the name of someone you know and work with. The topic is generic, but it’s also something that AP staffers have to be looking out for all the time: news. And the URL in the link looks legitimate—it seems to point to Max Fisher’s WorldViews blog on the Washington Post site.

Would you click the link in that email if it appeared in your inbox in the middle of a busy workday? Probably not, right? But if you were distracted—if the name in the “from” field was that of a friend or your boss—if you were in a hurry—isn’t there maybe at least a chance that you’d click before you even took a moment to think about it? And when you consider that this email was probably sent to a bunch of different people at the AP all at once, and the odds of at least one or two clicking on start to look pretty good.

In other words, blame the AP if you like, but if spear-phishing was indeed the SEA’s way in, then what happened to them could happen to just about any organization. Chet Wisniewski of the security firm Sophos told me the attack points to the need for Twitter to offer two-factor authentication, and it seems likely that the company is indeed working on that.

But forget Twitter for a second. The other takeaway here is just how effective a well-targeted spear-phishing attack can be. Everyone knows to avoid emails from Nigerian princes. By now most people know to be wary of Facebook or Twitter messages from their friends that say things like “lol ur famous now.” Now it seems we have to watch out for work emails from colleagues that are properly spelled and punctuated, on-topic, and generally plausible, if a little vague. Good luck everyone!

Future Tense is a partnership of SlateNew America, and Arizona State University.



Meet the New Bosses

How the Republicans would run the Senate.

The Government Is Giving Millions of Dollars in Electric-Car Subsidies to the Wrong Drivers

Scotland Is Just the Beginning. Expect More Political Earthquakes in Europe.

Cheez-Its. Ritz. Triscuits.

Why all cracker names sound alike.

Friends Was the Last Purely Pleasurable Sitcom

The Eye

This Whimsical Driverless Car Imagines Transportation in 2059

Medical Examiner

Did America Get Fat by Drinking Diet Soda?  

A high-profile study points the finger at artificial sweeteners.

The Afghan Town With a Legitimately Good Tourism Pitch

A Futurama Writer on How the Vietnam War Shaped the Series

  News & Politics
Sept. 21 2014 11:34 PM People’s Climate March in Photos Hundreds of thousands of marchers took to the streets of NYC in the largest climate rally in history.
Business Insider
Sept. 20 2014 6:30 AM The Man Making Bill Gates Richer
Sept. 20 2014 7:27 AM How Do Plants Grow Aboard the International Space Station?
  Double X
The XX Factor
Sept. 19 2014 4:58 PM Steubenville Gets the Lifetime Treatment (And a Cheerleader Erupts Into Flames)
  Slate Plus
Tv Club
Sept. 21 2014 1:15 PM The Slate Doctor Who Podcast: Episode 5  A spoiler-filled discussion of "Time Heist."
Sept. 21 2014 9:00 PM Attractive People Being Funny While Doing Amusing and Sometimes Romantic Things Don’t dismiss it. Friends was a truly great show.
Future Tense
Sept. 21 2014 11:38 PM “Welcome to the War of Tomorrow” How Futurama’s writers depicted asymmetrical warfare.
  Health & Science
The Good Word
Sept. 21 2014 11:44 PM Does This Name Make Me Sound High-Fat? Why it just seems so right to call a cracker “Cheez-It.”
Sports Nut
Sept. 18 2014 11:42 AM Grandmaster Clash One of the most amazing feats in chess history just happened, and no one noticed.