Hackers exploit weakest link at The Washington Post: a sports writer

The newspaper was poisoned with malicious code that redirected readers to the website of the Syrian Electronic Army hacker group. According to information obtained by KrebsOnSecurity, the assault began with a phishing campaign launched over the weekend that ultimately hooked one of the paper’s lead sports writers, Jason Reid.

Reid was among those who fell for a scam that spoofed the Post’s internal Outlook Web Access email portal. His hacked email account was then used to send additional — likely malware-laced — phishing emails to other newsroom employees. 

On the morning of 8/13, KrebsOnSecurity obtained information indicating that a phishing campaign targeting the Post’s newsroom had been successful, and that the attackers appear to have been seeking email access to Post reporters who had Twitter accounts.

The Post did not respond to requests for comment.

On 8/15, The Washington Post in a brief published acknowledgment stated a sophisticated phishing attack against its newsroom reporters had indeed led to a hack.

From that message:

“A few days ago, The Syrian Electronic Army, allegedly, subjected Post newsroom employees to a sophisticated phishing attack to gain password information. The attack resulted in one staff writer’s personal Twitter account being used to send out a Syrian Electronic Army message. For 30 minutes this morning, some articles on our website were redirected to the Syrian Electronic Army’s site. The Syrian Electronic Army, in a Tweet, claimed they gained access to elements of our site by hacking one of our business partners, Outbrain. We have taken defensive measures and removed the offending module. At this time, we believe there are no other issues affecting The Post site.”

Krebs, a former Post reporter adds:

“Other well-known Posties came close to be tricked by the phishing attack. One of those nearly-phished was veteran Post staffer Gene Weingarten, one of the Post’s Pulitzer Prize winning editors and writers. Reached via email for comment, Weingarten was characteristically self-effacing about the whole ordeal (full disclosure: Gene edited my very first story to appear in The Washington Post, a 1996 Style section piece about living in the late President Gerald Ford‘s house, titled, ‘My Gerry Built Home’).

‘I was phished….one of four, but I never entered any creds,’ Weingarten wrote. ‘I’m stupid, but not THAT stupid.’”

ThreatWatch is a regularly updated catalog of data breaches successfully striking every sector of the globe, as reported by journalists, researchers and the victims themselves.