You would think that by now journalists and people in media and advertising would be on the alert for social engineering red flags. But no. Syrian hacktivists sent a spear-phishing attack to all employees of a company called Outbrain which caused some of those employees to give their username and password. Outbrain provides services to newspapers with content-recommendation widgets, which are embedded into media web pages, and help internet publishers boost traffic.
The hacktivists call themselves the Syrian Electronic Army (SEA) and is a hacker group supporting President al-Assad. They started their disruption campaign mid-2011, and they run the gamut of DDoS attacks, spear-phishing, pro-Assad website vandalization, and spamming anyone they believe to be hostile to the Syrian government.
SEA are especially known for spear-phishing attacks attempting to compromize Twitter accounts of media people and use those hacked credentials to push pro-Assad propaganda. Recent victims include Associated Press, BBC, the Daily Telegraph, the Financial Times, the Guardian, Human Rights Watch, America's National Public Radio, Thompson Reuters and others.
Providing employees of these organizations with effective security awareness training so that they can spot social engineering seems to be the logical thing to do. Why is this not happening?
Related Pages: Spear Phishing