362937046_c2b6b8841e_o

In recent social media news, the Australian Electoral Commission (AEC) Twitter account was ‘hacked’, with the government department sending out a series of Direct Messages (DMs) with linkbait messages (e.g. “Hey this person is spreading horrible rumours about u: <link>” “Did u see this pic of you? <link>”) and a link to a phising site.

It was most notably reported in this article by The Age, titled Electoral Commission Twitter account hacked, voters asked not to click.

But the article (and the AEC’s response) gives almost useless advice to brands using social media wanting to evade a similar fate.

From the above article:

Mr Ekin-Smith said he was not aware of how its password had been obtained, but was certain no one from the organisation had been phished in a similar scam or divulged the password.

He said the AEC would now change its password daily and to increasingly more complex combinations to ensure it wouldn’t happen again. It has also elected to use Twitter’s two-factor authentication introduced in May, requiring a verification code sent to a linked mobile number to login.

Now I’m sorry but I’ll have to disagree here. The account (little doubt about it) has sent these DMs as a result of a social engineering attack, not a password hack. Changing a password is a way to evade brute-force attacks, where the attacker iterates within a domain of letters to ‘guess’ every possible combination. There are also dictionary-facilitated versions to speed up the process: this is why you shouldn’t choose a password with just a word and a number. But it’s quite hard to undertake a bruteforce attack: most services (like Twitter) will firstly start requiring CAPTCHAs (those ‘type the letters in the image above’ things: stopping the computer from doing it automatically), and subsequently lock down the account for verification manually if there are too many guesses. For a brute-force attack to occur, it would likely require thousands of ‘guesses’ before finding the correct password.

So the AEC hasn’t fallen afoul of a brute-force or password cracking ‘hack’. That means either someone told another person the password, who used it maliciously, or that it was gathered through social engineering. Now if it was option 1 (someone told someone else), the solution is still similar, but I suspect it was the second: if someone wanted to use the AEC’s account maliciously and had base-level access, I would guess they would do something funny/amusing/political rather than simply reproducing a common spam attack.

So what’s probably happened (I’m aware my assumption here contradicts their statement) is that the have been socially engineered. And it doesn’t surprise me in the least. Something that brands often do during periods of increased activity is to recruit new staff, and often these staff are less savvy with social media than the ‘normal’ or baseline staff members. This is necessary to deal with the influx of comments, as I’m sure the AEC has been receiving since the election was called this Sunday.

So my guess would be that one of these staff saw a DM sent by another user, clicked the link, thought they needed to log in to “see the message” and inserted the account’s username and password. It’s an easy mistake to make — and that’s why these DMs are so common (people keep getting ‘taken’ by them). But anyone experienced in Twitter sees them immediately and ignores them (or Tweets the person that sent it to tell them that they’re spamming).

Having a complicated password, or changing it frequently, has no impact on this. No matter how complex the password is, the user still has to know it, and puts it into the box.

So what should your brand do?

The main lesson from this is to be aware of who knows your account passwords, and make sure that they:

  1. Understand social media very well, including the common spam attacks
  2. Actually need to know the ‘root-level’ passwords, rather than having a login to a third-party tool

If you use a tool like Hootsuite, your administrators/moderators don’t need to know the account passwords: only their Hootsuite logins. So these kinds of attacks don’t have any effect. Similarly, moderators can’t accidentally authorise a dodgy external app which may also send malicious content through your channel.

And the utility of changing your password should be to check who knows it. Change it, and see who asks for it – it’s an easy way to work out (2) above. Of course, when you do change it, follow the basic rules for having a password that isn’t guessable — use random letters, lowercase and uppercase, numbers and symbols. You really shouldn’t be putting in your password that frequently if you’re using an external tool.

(photo credit ThisParticularGreg)