Twitter Hackers Targeted Employees With Phone PhishingSocial Media Firm Says Fraudsters Executed Their Cryptocurrency Scam Within a Day
See update on three charged in connection with this hacking incident.
The hackers who hijacked 130 high-profile Twitter accounts as part of a cryptocurrency scam earlier this month used a telephone-based spear-phishing attack to obtain employee credentials, the social media company says.
On July 15, the attackers moved quickly, using phone-based phishing as the first step toward gaining access to the Twitter credentials needed to take over the accounts and posting their scam messages, Twitter says in a Thursday blog.
The attack on July 15, 2020, targeted a small number of employees through a phone spear phishing attack. This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems.— Twitter Support (@TwitterSupport) July 31, 2020
"It is more difficult to spot a phishing attempt on a mobile phone due to the smaller screen, the inability to see the full URL in the mobile browser, and lack of awareness on how to safely preview where a link is sending you before you tap it," says Hank Schless, senior manager of security solutions at mobile security firm Lookout.
The hackers used a multistep process, working their way through levels of employees to obtain the logins to Twitter's internal network and then grabbing the admin-level credentials needed for accessing the internal support tools available to only a few employees, the company notes in its new report.
"Not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access our internal systems and gain information about our processes," according to Twitter.
The malicious actors used these credentials to take over 130 accounts, and then they tweeted from 45 of them. The hackers also accessed the direct message inboxes of 36 accounts and downloaded the Twitter data of seven, the company says.
Among the commandeered accounts were those of Microsoft founder Bill Gates, entrepreneur Elon Musk, Dutch lawmaker Geert Wilders and presumptive Democratic presidential nominee Joe Biden. The attackers used these accounts to conduct a brazen campaign designed to solicit money from the account holder's unwary followers (see: Several Prominent Twitter Accounts Hijacked in Cryptocurrency Scam).
About 360 people fell for the cryptocurrency scam and sent a total of more than $120,000 to the hackers, according to news media reports.
Too Much Access?
Twitter says it’s considering making the tools and levels of access required to gain access to accounts even more sophisticated to help prevent other hacker attacks. The social media giant notes that its worldwide teams need this level of access to provide support and review content.
Charles Ragland, security engineer at Digital Shadows, tells Information Security Media Group that workers must be trained to be suspicious of emails or phone calls that they aren't expecting, and a company must have easy-to-follow policies in place to report incidents so that these can be appropriately investigated.
"While Twitter states that these tools are heavily audited and restricted for specific use cases, it goes to show that technical controls can't stop everything," Ragland says. "Human vulnerability will always be a weak spot in any risk mitigation strategy. Implementing a culture of security awareness in the workplace can help reduce these risks."