Would You Click the Link in This Email That Apparently Tricked the AP?

Future Tense
The Citizen's Guide to the Future
April 23 2013 10:11 PM

Would You Click the Link in This Email That Apparently Tricked the AP?

AP Twitter account suspended
The AP's Twitter account was suspended after hackers posted a tweet claiming that President Obama had been injured in an explosion at the White House.

Screenshot / Twitter

Hacking a prominent Twitter account, like the one that the Associated Press uses to broadcast breaking news to some 2 million followers, sounds like it would be hard. Apparently it isn’t.

Will Oremus Will Oremus

Will Oremus is Slate's senior technology writer.

At least, it doesn’t seem to be hard lately for a rogue hacker outfit that calls itself the Syrian Electronic Army, which claimed responsibility for Tuesday’s AP tweet-jacking. The SEA, which seems to have a pro-Assad agenda though it claims it isn’t affiliated with the Syrian government, has been racking up successful hacks at an alarming rate in the past few months. And the roster of reported victims, as collected by Reuters earlier today, reads like a checklist of the most credible and influential English-language news organizations: the BBC, NPR, CBS' "60 Minutes," Reuters News, and now the AP.


It wasn’t immediately clear whether the hackers obtained the AP’s password by installing keystroke-logging malware on employees’ machines or by tricking them into entering their credentials on a bogus site. But an internal AP email, posted on Jim Romenesko’s media blog, gives us a good idea as to how they might have gotten in the door: by spear-phishing. That means targeting specific people with legitimate-looking emails designed to trick them into giving up sensitive information. In this case, several AP employees received an email shortly before the Twitter hack that appeared to come from one of their colleagues. Here’s what it looked like, according to Romenesko’s source:

Sent: Tue 4/23/2013 12:12 PM
From: [An AP staffer]
Subject: News


Please read the following article, it’s very important :


[A different AP staffer]
Associated Press
San Diego
mobile [removed]

Notice that it lacks most of the telltale signs of a scam. The “from” field contains not some unknown name, but the name of someone you know and work with. The topic is generic, but it’s also something that AP staffers have to be looking out for all the time: news. And the URL in the link looks legitimate—it seems to point to Max Fisher’s WorldViews blog on the Washington Post site.

Would you click the link in that email if it appeared in your inbox in the middle of a busy workday? Probably not, right? But if you were distracted—if the name in the “from” field was that of a friend or your boss—if you were in a hurry—isn’t there maybe at least a chance that you’d click before you even took a moment to think about it? And when you consider that this email was probably sent to a bunch of different people at the AP all at once, and the odds of at least one or two clicking on start to look pretty good.

In other words, blame the AP if you like, but if spear-phishing was indeed the SEA’s way in, then what happened to them could happen to just about any organization. Chet Wisniewski of the security firm Sophos told me the attack points to the need for Twitter to offer two-factor authentication, and it seems likely that the company is indeed working on that.

But forget Twitter for a second. The other takeaway here is just how effective a well-targeted spear-phishing attack can be. Everyone knows to avoid emails from Nigerian princes. By now most people know to be wary of Facebook or Twitter messages from their friends that say things like “lol ur famous now.” Now it seems we have to watch out for work emails from colleagues that are properly spelled and punctuated, on-topic, and generally plausible, if a little vague. Good luck everyone!

Future Tense is a partnership of SlateNew America, and Arizona State University.



The Ebola Story

How our minds build narratives out of disaster.

The Budget Disaster That Completely Sabotaged the WHO’s Response to Ebola

PowerPoint Is the Worst, and Now It’s the Latest Way to Hack Into Your Computer

The Shooting Tragedies That Forged Canada’s Gun Politics

A Highly Unscientific Ranking of Crazy-Old German Beers


Welcome to 13th Grade!

Some high schools are offering a fifth year. That’s a great idea.


The Actual World

“Mount Thoreau” and the naming of things in the wilderness.

Want Kids to Delay Sex? Let Planned Parenthood Teach Them Sex Ed.

Would You Trust Walmart to Provide Your Health Care? (You Should.)

  News & Politics
Oct. 22 2014 9:42 PM Landslide Landrieu Can the Louisiana Democrat use the powers of incumbency to save herself one more time?
Continuously Operating
Oct. 22 2014 2:38 PM Crack Open an Old One A highly unscientific evaluation of Germany’s oldest breweries.
Gentleman Scholar
Oct. 22 2014 5:54 PM May I Offer to Sharpen My Friends’ Knives? Or would that be rude?
  Double X
The XX Factor
Oct. 22 2014 4:27 PM Three Ways Your Text Messages Change After You Get Married
  Slate Plus
Tv Club
Oct. 22 2014 5:27 PM The Slate Walking Dead Podcast A spoiler-filled discussion of Episodes 1 and 2.
Oct. 22 2014 11:54 PM The Actual World “Mount Thoreau” and the naming of things in the wilderness.
Future Tense
Oct. 22 2014 5:33 PM One More Reason Not to Use PowerPoint: It’s The Gateway for a Serious Windows Vulnerability
  Health & Science
Wild Things
Oct. 22 2014 2:42 PM Orcas, Via Drone, for the First Time Ever
Sports Nut
Oct. 20 2014 5:09 PM Keepaway, on Three. Ready—Break! On his record-breaking touchdown pass, Peyton Manning couldn’t even leave the celebration to chance.