How does the Syrian Electronic Army compromise targeted Twitter or Facebook accounts? According to an account published by the Onion, the attackers used spear-phishing emails that included an apparent link to a Washington Post story, but which really lead to a malicious website that requested users input their Gmail credentials. Attackers then used that information to gain access to Twitter accounts with that email on file.
While no other media outlets have offered details of how they were compromised, security experts suspect that phishing attacks were also used against AP and Human Rights Watch, with the phishing email links redirecting to Google or Microsoft webmail sites.
In the wake of the AP breach, Twitter was reportedly testing a two-factor authentication system. Once implemented, such a system should make it more difficult for attackers to compromise accounts via spear-phishing attacks.
The Syrian Electronic Army, however, has promised to continue compromising Twitter accounts. "It will definitely make it harder on Twitter, but this was never our primary attack vector," said the Shadow. "Nevertheless, there are still some security holes in Twitter's model that we hope to exploit in the future so no one should get too comfortable, we are not going to give up."