I first reported to you about the Syrian Electronic Army last summer when this organization hacked into the New York Times, the Washington Post and a number of other major American companies. More recently, in October I told you about the SEA’s hacking into President Obama’s Twitter and Facebook accounts. In perhaps its most disruptive attack, the SEA hacked into the Associated Press’ Twitter account this past April and sent out a phony tweet about explosions at the White House. The response to this phony and false tweet included a temporary drop in the stock market as the market responded to the fake news story with panic. This group, which may or may not be sponsored or controlled by the Syrian government of President Bashar al-Assad, certainly is philosophically aligned with his government.
Earlier this week, the FBI warned many companies about new cyberattacks being made by the SEA at this time. The cyberattacks begin with an innocuous looking email that purported to contain a link to a CNN article about the Syrian revolution. The email also directed the recipients of the email to a phony Google log-in page which required the person receiving the email to input his or her username and passwords. This phishing type scam appears to be how the SEA manages to gain access to the websites and data bases of their targets. Once the SEA has the usernames and passwords, it is able to often use that information to infiltrate the computers of the companies of their victims.
The lesson here is not just for major companies that may be targets of the Syrian Electronic Army, but is one for all of us. This tactic used by the SEA is also used by scammers and identity thieves whose goal it is to get access to the information in your computers, laptops and smartphones for purposes of identity theft. By luring you to click on a tainted link or download or tricking you into providing usernames and passwords, these identity thieves and hackers manage to get you to turn over the keys to your kingdom. As I often say, “trust me, you can’t trust anyone.” Never click on links or download attachments which may be riddled with malware unless you are absolutely sure that they are legitimate. Merely because a link or attachment is in an email that appears to come from someone you know, you cannot be sure that your friend’s email has not been hacked by an identity thief. Always confirm that a link or attachment is indeed accurate before ever clicking on the link or downloading. Also, jealously guard your username and passwords. Again, make sure that anytime you are asked for them, that the inquiry is legitimate and not just a cleverly worded phishing attempt.