Sometimes hacks can be more about mischief than malice

FC Barcelona has its Twitter and Facebook accounts hijacked by the OurMine gang.

Sometimes hacks can be more about mischief than malice

Not all hacking is motivated by the desire to make money or steal secrets.

Sometimes a hack can be designed just to play a practical joke.

In today's example, it's fans of one of the world's top football clubs, FC Barcelona, who are having their legs pulled.

The OurMine hacking gang have turned their attention from HBO and Sony to break into the soccer club's social media accounts to announce that former Real Madrid player Angel Di Maria had been signed-up for the team.

FC Barcelona and Real Madrid are bitter rivals, so news that a player is switching allegiances from one side to another is likely to get fans fuming.

Tweet 1

Welcome Angel Di Maria to FC Barcelona! #DiMariaFCB

Within a couple of minutes, OurMine admitted its involvement.

Tweet 2

And sometime after that, FC Barcelona retook possession of the account and apologised to its 23.1 million followers on Twitter.

FC Barcelona may want to look again at its defence, because it is clearly lacking when it comes to protecting its social media accounts.

That means not only training staff in password best practice, and raising awareness about phishing attacks, but also the security benefits of enabling two-step verification or two-factor authentication.

It's not as if FC Barcelona shouldn't be aware of these risks. For instance, back in 2014 the Syrian Electronic Army managed to seize control of the football club's Twitter account.

Fcbarcelona 2014

The Syrian Electronic Army's 2014 hack of FC Barcelona's Twitter account

In my view all Twitter and Facebook users should take advantage of the two-step verification features available on sites like Facebook and Twitter to make it harder for hackers to break in, even if they do manage to work out your password.

However, Twitter and Facebook-specific security features may not have helped in this particular case, as a clue in the hackers' tweets reveals.

Tweet hootsuite

You see the messages were sent via Hootsuite, a third-party social media management app that many organisations use to run their social media presence.

All OurMine had to do was work out FC Barcelona's Hootsuite password... and that gave them the ability to post messages to FC Barcelona's Twitter and Facebook accounts.

Fortunately, there's a way to protect Hootsuite accounts with two-step verification. Once in place, Hootsuite will ask you to enter a six-digit one-time password, alongside your username and password, to successfully log in.

Hootsuite 3

In this case, the unauthorised social media posts may have been more about mischief than malice but that doesn't mean they should be treated any less seriously. All organisations need to ensure they have tight security in place, before a hacker uses an opportunity like this to send out a malicious tweet designed to spread malware, launch a phishing attack or trick users into visiting dangerous websites.

Tags: , , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , , ,

One Response

  1. Kami

    August 24, 2017 at 1:58 pm #

    This is a great perspective on their hacking! I never would've noticed it was posted through Hootsuite. Makes sense!

Leave a Reply