Would You Click the Link in This Email That Apparently Tricked the AP?

Future Tense
The Citizen's Guide to the Future
April 23 2013 10:11 PM

Would You Click the Link in This Email That Apparently Tricked the AP?

AP Twitter account suspended
The AP's Twitter account was suspended after hackers posted a tweet claiming that President Obama had been injured in an explosion at the White House.

Screenshot / Twitter

Hacking a prominent Twitter account, like the one that the Associated Press uses to broadcast breaking news to some 2 million followers, sounds like it would be hard. Apparently it isn’t.

Will Oremus Will Oremus

Will Oremus is Slate's senior technology writer.

At least, it doesn’t seem to be hard lately for a rogue hacker outfit that calls itself the Syrian Electronic Army, which claimed responsibility for Tuesday’s AP tweet-jacking. The SEA, which seems to have a pro-Assad agenda though it claims it isn’t affiliated with the Syrian government, has been racking up successful hacks at an alarming rate in the past few months. And the roster of reported victims, as collected by Reuters earlier today, reads like a checklist of the most credible and influential English-language news organizations: the BBC, NPR, CBS' "60 Minutes," Reuters News, and now the AP.


It wasn’t immediately clear whether the hackers obtained the AP’s password by installing keystroke-logging malware on employees’ machines or by tricking them into entering their credentials on a bogus site. But an internal AP email, posted on Jim Romenesko’s media blog, gives us a good idea as to how they might have gotten in the door: by spear-phishing. That means targeting specific people with legitimate-looking emails designed to trick them into giving up sensitive information. In this case, several AP employees received an email shortly before the Twitter hack that appeared to come from one of their colleagues. Here’s what it looked like, according to Romenesko’s source:

Sent: Tue 4/23/2013 12:12 PM
From: [An AP staffer]
Subject: News


Please read the following article, it’s very important :


[A different AP staffer]
Associated Press
San Diego
mobile [removed]

Notice that it lacks most of the telltale signs of a scam. The “from” field contains not some unknown name, but the name of someone you know and work with. The topic is generic, but it’s also something that AP staffers have to be looking out for all the time: news. And the URL in the link looks legitimate—it seems to point to Max Fisher’s WorldViews blog on the Washington Post site.

Would you click the link in that email if it appeared in your inbox in the middle of a busy workday? Probably not, right? But if you were distracted—if the name in the “from” field was that of a friend or your boss—if you were in a hurry—isn’t there maybe at least a chance that you’d click before you even took a moment to think about it? And when you consider that this email was probably sent to a bunch of different people at the AP all at once, and the odds of at least one or two clicking on start to look pretty good.

In other words, blame the AP if you like, but if spear-phishing was indeed the SEA’s way in, then what happened to them could happen to just about any organization. Chet Wisniewski of the security firm Sophos told me the attack points to the need for Twitter to offer two-factor authentication, and it seems likely that the company is indeed working on that.

But forget Twitter for a second. The other takeaway here is just how effective a well-targeted spear-phishing attack can be. Everyone knows to avoid emails from Nigerian princes. By now most people know to be wary of Facebook or Twitter messages from their friends that say things like “lol ur famous now.” Now it seems we have to watch out for work emails from colleagues that are properly spelled and punctuated, on-topic, and generally plausible, if a little vague. Good luck everyone!

Future Tense is a partnership of SlateNew America, and Arizona State University.



Forget Oculus Rift

This $25 cardboard box turns your phone into an incredibly fun virtual reality experience.

The Congressional Republican Digging Through Scientists’ Grant Proposals

The 2014 Kansas City Royals Show the Value of Building a Mediocre Baseball Team

The GOP Won’t Win Any Black Votes With Its New “Willie Horton” Ad

Whole Foods Is Desperate for Customers to Feel Warm and Fuzzy Again

The XX Factor

I’m 25. I Have $250.03.

My doctors want me to freeze my eggs.

The XX Factor
Oct. 20 2014 6:17 PM I’m 25. I Have $250.03. My doctors want me to freeze my eggs.

Smash and Grab

Will competitive Senate contests in Kansas and South Dakota lead to more late-breaking races in future elections?

I Am 25. I Don’t Work at Facebook. My Doctors Want Me to Freeze My Eggs.

These Companies in Japan Are More Than 1,000 Years Old

  News & Politics
The World
Oct. 21 2014 11:40 AM The U.S. Has Spent $7 Billion Fighting the War on Drugs in Afghanistan. It Hasn’t Worked. 
Oct. 21 2014 1:12 PM The Global Millionaires Club Is Booming and Losing Its Exclusivity
The Eye
Oct. 21 2014 1:47 PM How Designers Use Creative Briefs to Better Their Work
  Double X
The XX Factor
Oct. 21 2014 1:12 PM George Tiller’s Murderer Threatens Another Abortion Provider, Claims Right of Free Speech
  Slate Plus
Behind the Scenes
Oct. 21 2014 1:02 PM Where Are Slate Plus Members From? This Weird Cartogram Explains. A weird-looking cartogram of Slate Plus memberships by state.
Brow Beat
Oct. 21 2014 1:47 PM The Best Way to Fry an Egg
Oct. 21 2014 10:43 AM Social Networking Didn’t Start at Harvard It really began at a girls’ reform school.
  Health & Science
Climate Desk
Oct. 21 2014 11:53 AM Taking Research for Granted Texas Republican Lamar Smith continues his crusade against independence in science.
Sports Nut
Oct. 20 2014 5:09 PM Keepaway, on Three. Ready—Break! On his record-breaking touchdown pass, Peyton Manning couldn’t even leave the celebration to chance.