The Twitter, Facebook and blog pages of video calling service Skype have in recent hours been defaced by hacker group Syrian Electronic Army with anti-Microsoft and anti-surveillance sentiment.
Skype’s Twitter account was taken over and the following tweet was retweeted more than 8,000 times: “Don’t use Microsoft emails (hotmail, outlook), they are monitoring your accounts and selling the data to the governments. More details soon #SEA.”
The hacker group also attacked Skype’s Facebook page and the company’s blog page.
It is understood the attack occurred via a classic phishing attack.
“There is evidence to suggest the attackers were able to gain access to Skype’s Facebook and WordPress blogs as well, likely indicating either shared passwords or perhaps compromise of Skype employees’ email accounts,” wrote Chester Wisniewski on the Sophos Naked Security blog.
Moral of the story: embrace two-factor authentication for social media profiles
Wisniewski said the FBI had warned high-profile media organisations on Christmas Eve to be on the look-out for phishing attacks by the Syrian Electronic Army.
“Skype has more than 3m followers on Twitter, which indicates that, had the attackers wanted to send out malicious links or other dangerous content, this could have been a whole lot worse.
“What I would like to know is why on earth a company’s social media profile with over 3m followers would not be using two-factor authentication.”
He said that last year Twitter rolled out an improved two-factor solution seemingly in response to previous attacks by the SEA and that WordPress and Facebook have also begun offering two-factor authentication.
“I believe it is the responsibility of organisations with a large number of followers to do whatever they can to secure their profiles.
“I suppose this can be a lesson to the rest of us. Take advantage of the safety net of two-factor authentication whenever possible. While it may be less than perfect, so are you,” Wisniewski said.