Yesterday, the Syrian Electronic Army announced that it had compromised the email accounts of several staff members of Organizing For Action (OFA), a non-profit organization that also maintains the President’s website (barackobama.com), the President’s Facebook, and the President’s Twitter account (@barackobama). A screenshot posted by @Official_SEA16 confirms the hack and indicates some OFA staff were conducting business using Gmail email accounts, hosted through Google Apps for Business.
— SyrianElectronicArmy (@Official_SEA16) October 28, 2013
The attackers also compromised the URL shortening service that the President used to share links through social media (ShortSwitch.com). The compromised links directed users to a video called “Syria Facing Terrorism”, hosted on YouTube, which has since been removed.
We are working with OFA. Evidence suggests credentials were compromised elsewhere and used by unauthorized parties. Forensics ongoing…
— ShortSwitch (@shortswitch) October 28, 2013
The Syrian Electronic Army may have targeted the Obama campaign the same way that they targeted The Onion satirical news site. The Onion published a write-up explaining how they were compromised earlier this year. In the write-up, they point to emails they received (phishing attacks) that redirected staff to fake Google Apps login pages.
Many organizations use Google Apps for email and for other services. And many of these organizations have not yet enabled two-factor authentication (Google calls this two-step verification)—a security feature that has been available in Google Apps since 2011.
Two-factor authentication for email is an important security feature that should be enabled. In the scenarios such as the one above, two-factor authentication would have helped the staff members of OFA mitigate an attempt by hackers to obtain access to the Obama campaign’s Google Apps email account.
— Fran Berkman (@FranBerkman) October 28, 2013
If you are a Google Apps administrator, Symantec Security Response recommends turning on the two-factor authentication feature. Follow these instructions to allow two-factor authentication (2-step verification).
Google Apps administrators also have the option to “enforce” two-factor authentication, making it mandatory for all users of that domain. Please refer to Google’s help page for how to enable this feature.
Phishing attacks continue to evolve. All it takes is just one person in an organization to fall for a phishing scam to lower your security. Consider adding two-factor authentication to your Google Apps for Business account as well as incorporating regular user education training on security best practices for your employees.
For more information on two-factor authentication see: