14 DAY TRIAL // Fake messages were posted from the Twitter accounts of New York Post and United Press International (UPI) by unknown individuals on Friday.
The accounts were quickly restored to their rightful owners but not before being used to publish false news on economic and military subjects.
A total of six bogus headlines were posted
In the Twitter feed of New York Post’s business section a message informed about the Federal Reserve announcing the need of negative interest rates in order to avoid market recession because of low oil prices.
The same message was posted from the account of UPI, which confirmed the incident in a statement on Friday saying that its website had also been hacked, and that the false Federal Reserve story was published on its webpage under the “breaking news” banner.
A subsequent tweet on New York Post’s account said that the “Bank of America CEO calls for calm: Savings accounts will not be affected by federal reserve decision.”
Another fake message published on the hijacked social media accounts informed that the USS George Washington, a nuclear-powered aircraft carrier, had been attacked with Chinese anti-ship missiles, while the next tweet announced that, in response, the US Navy “engaged in active combat against Chinese vessels in South China sea.”
The bogus message from UPI was followed by another one, allegedly quoting Xi Jinping, the President of the People's Republic of China, saying that Obama “has forced China to protect its interests through military means.”
Spear-phishing and lack of 2FA likely at fault
The hijackers also posted a tweet claiming to quote Pope Francis saying that World War III had begun. It must be noted that the Pope’s account did not fall under the control of an unauthorized entity.
Losing control of their Twitter account was confirmed by New York Post in a tweet from senior business editor Michael Gray.
The method used by the perpetrators to gain access to the two social media assets is unclear. However, the lack of two-factor authentication (2FA) security measure probably made things easier for hijackers, who could have guessed the password or stolen it through spear-phishing.
Such an attack is targeted and requires gathering intelligence about the victim in order to create the right content as a phishing bait.
According to users on Twitter, the fake messages were visible for at least 40 minutes before the owners of the accounts managed to cut off illegal access to the profiles.
In a recent similar incident, hackers operating under the name of CyberCaliphate hijacked the Twitter profile of the US Central Command, which oversees military activity in the Middle East, to deliver pro-ISIS propaganda.
Our Twitter feed has been hacked. #nyp
— Michael Gray (@12mgray) January 16, 2015
