This is a write-up of how the Syrian Electronic Army hacked The Onion. In summary, they phished Onion employees’ Google Apps accounts via 3 seperate methods.
The SEA began by sending phishing emails to various Onion employees beginning around May 3.
The Washington Post link actually went to a URL like
Which redirected to a URL likehttp://googlecom.comeze.com/a/theonion.com/Service.Login?&passive=1209600&cpbps=1&continue=https://mail.google.com/mail/
Which asked for Google Apps credentials before redirecting to the Gmail inbox.
These emails were sent from strange, outside addresses, and they were sent to few enough employees to appear as just random noise rather than a targeted attack. At least one Onion employee fell for this phase of the phishing attack.
Once the attackers had access to one Onion employee’s account, they used that account to send the same email to more Onion staff at about 2:30 AM on Monday, May 6. Coming from a trusted address, many staff members clicked the link, but most refrained from entering their login credentials. Two staff members did enter their credentials, one of whom had access to all of our social media accounts.
For the rest of the story: http://theonion.github.io/blog/2013/05/08/how-the-syrian-electronic-army-hacked-the-onion/