A spam-pushing hacker's daylong takeover of the Explore Minnesota Facebook account is over.
Someone took full control of the account Monday morning, and for about five hours starting at 11:30 a.m. bombarded the popular tourism agency page with hyperlinks to bogus or sensationalized posts on a website called newsprovidr.com.
At least 25 hyperlinks were published. Some had a few dozen shares, and one (about a morgue worker being cremated while napping) was shared more than 250 times, inadvertently spreading the damage further..
Facebook shortly after 3 p.m. identified an account that had blocked access to the Explore Minnesota page, according to agency spokesperson Alyssa Hayes. By about 4:30 p.m. that bad actor had been cut out, and Explore Minnesota restored as the administrator, a statement from Explore Minnesota said.
MNIT, the state's agency in charge of IT, is helping put security measures back in place for the page. And now that account control is back in the hands of the rightful owner, MNIT's plan is to start reverse engineering things to try to figure out what might have happened, MNIT Chief Information Security Officer Aaron Call told GoMN.
The Explore Minnesota Facebook page was run with a single account, Hayes said, and a lone social media manager was generally the only person with the password and direct access to post content.
Hayes said they're working with MNIT still to investigate. How an attacker managed to gain full control isn't known yet.
Call said one of the most likely scenarios is a compromised password. That could be through a phishing email (an increasingly common method, which even Netflix was hit by recently) or a user's password getting out there through another breach or hack.
What's the motive?
In its afternoon update, Explore Minnesota promised to get back to posting the usual travel information soon, adding: "We thank our loyal 226,000+ Facebook fans for their patience and understanding today."
Those followers could be one of the key reasons to understanding a motive.
Nothing has been officially determined at this point, but Call said there are some early indicators – based on his experience – that the point of the takeover was to drive clicks to a specific site, an increasingly common strategy. In this case, newsprovidr.com.
Explore Minnesota has a lot of Facebook followers, and if an attacker can direct some of that built-in user base to a website that runs advertisements, they can make a quick buck as the page views pile up, he explained.
And those types of popular accounts are "always going to be highly targeted, because it’s the fastest way to get any garbage you’re trying to disseminate out,” he added.
In addition, Call said the samples MNIT looked at haven't "turned up anything that contains malware" – but that isn't a definite, and a site that looks to be mainly a click-driver could have other aims as well that aren't immediately obvious.
There also hasn't been any sign the attack was wider in scope than the single Facebook page. Nor does it bear a resemblance to previous attacks, such as the politically-motivated MSU Moorhead breach.
"Until we’ve unraveled a little bit more, if we can ever get attribution to who did it, we might know more," he said. "But again, just playing off of professional experience and odds, this is most likely just a non-targeted opportunistic attack."
Read the original story from Monday morning below.
Hackers take control of Explore Minnesota's Facebook account
– Hackers turned Explore Minnesota's Facebook page into a spam-flinging account Monday morning, posting six obviously tabloid-y stories in less than 45 minutes.
– The first spam post went up at 11:45 a.m.:
In the following 90 minutes or so, the page had posted 11 additional links to fake stories, such as:
– On Twitter, Explore Minnesota said it was "looking into the matter." But spokesperson Alyssa Hayes told GoMN that whoever got into the Facebook account took full control, and is blocking employees from getting back into the Explore Minnesota Facebook page.
The Big Picture
While the exact nature of the issue hasn't been confirmed, Hayes told GoMN it appears to be a "hack/cyberattack." Explore Minnesota's social team is working directly with Facebook to sort it out, she said.
The spam posts appear to direct users to newsprovidr.com, a site that features clicky spam garbage. Hayes said anyone who comes across the posts should not click the links, and suggested they can also report the post as spam to Facebook.
Explore Minnesota's Twitter account and website appear as normal, and Hayes said the intrusion (at this point) appears limited to just the Facebook page.
MNIT is the state agency in charge of every tech-related need for thousands of state computers and servers. (We've reached out to them for comment but haven't heard back yet.)
There have been a few recent high-profile attempts, including a computer breach at a popular state park in September, and an attack on Minnesota government and MSU Moorhead servers that pilfered email addresses, encrypted passwords, and user IDs.
MNIT this year asked lawmakers for significantly more funding to make upgrades, including replacing outdated computers and making sure systems are monitored 24/7.