How it happened; what to do to protect yourself
July 17 2020: In an audacious cyber attack two days ago, on the most prominent names in US business and entertainment, hackers broke into their Twitter accounts and sent out fake messages in their name which all said: send money to bitcoin and we will send you double the amount.
Many prominent, verified Twitter accounts have been tweeting out cryptocoin scams, with fake tweets reported from an eclectic range of high-profile people and companies, apparently including Joe Biden, Elon Musk, Barack Obama, Bill Gates, Apple and many others. The scam tweets reportedly included catchy – if highly unlikely – messages such as “Feeling greatful [note spelling blunder], doubling all payments made to my Bitcoin address,” urging people to pay out $1000 and get $2000 back.
These tweets really did come from verified accounts, so many people fell for this – it’s not like receiving an email that is signed off “Elon Musk” if the tweet genuinely seems to have come from his account. Although the attack was short-lived and Twitter quickly locked down and recovered any affected accounts, a look at the bitcoin wallet address shows that the attackers still managed to get away with 12.85BTC, nearly $120,000, and were already transferring the money to further Bitcoin accounts to cash out.
CheckPoint Research suggests:
There are a few methods by which such an attack could have occurred.Twitter announced social engineering techniques were used to gain access to their internal systems. Such a compromise via social engineering attack could have started by using several possible infection vectors. One common possibility is spear-phishing email attack, either delivering an attached malware or a link to a phishing page. In both cases it is often accompanied with some kind of social engineering in order to motivate the user into executing the attached payload, or to enter his credentials into a fraudulent phishing page.A possible attack vector that also corresponds with the previous explanations is voice phishing or Vishing. This is a social engineering tactic of phishing calls to employees in order to gain trust, harvest details and deceive them to take actions. Over the last few months, more and more organizations have reported that their employees were targets of such Vishing calls.
Motherboard offers another potential scenario, in which the attackers had internal cooperation with Twitter employees they paid to change the e-mail addresses behind the targeted accounts using a Twitter internal tool.
This is not the first time the privacy of users in the social platform was impacted by its employees, nor the first time that Twitter employees were responsible for sensitive data disclosure.
The account of Twitter's own CEO Jack Dorsey was compromised a few months ago after his phone number was taken over in a SIM swapping attack. Last year, two employees were accused of abusing their access to internal Twitter resources and helping Saudi Arabia spy on dissidents living abroad.
Lotem Finkelstein, Head of Threat Intelligence, Check Point Software Technologies concludes: Although Twitter has not yet shared the full details of this incident, we can see that different root causes in previous cases have led to similar results. Whether it is disgruntled employees or tailored social engineering attacks, the true problem is the difficulty in limiting access to internal assets and preventing them from becoming a single point of failure.This time, however, it seems that Twitter is taking action to prevent such incidents from occurring again in the future, by making tools such as the one presumably used in this attack less accessible.
If anything, Twitter's compromise shows that in today’s world of increasing data loss events, organizations have little choice but to take action to protect sensitive data. Confidential employee and customer data, legal documents, and intellectual property are being exposed to unwanted parties on a daily basis.
Twitter has taken the unusual but understandable step of closing down parts of its service while it investigates, and its own support account has just tweeted to say that the company is “continuing to limit the ability to Tweet, reset your password, and some other account functionalities while we look into this
Paul Ducklin, Principal Research Scientist at Sophos suggests three simple steps to protect yourself from such attacks:
If a message sounds too good to be true, it IS too good to be true. If Musk, Gates, Apple, Biden or any well-known person or company wanted to hand out huge amounts of money on a whim, they wouldn’t demand that you hand them money first. That’s not a gift, it’s a trick, and it’s an obvious sign that the person’s account has been hacked. If in doubt, leave it out!
Cryptocurrency transactions don’t have the legal protections that you get with banks or payment card companies. There is no fraud reporting service or transaction cancellation in the world of cryptocurrency. Sending someone cryptocoins is like handing over banknotes to in an envelope – if they go to a crook, you will never see them again. If in doubt, don’t send it out!
Look out for any and all signs that a message might not be real. Crooks don’t have to make spelling mistakes or get important details wrong, but often they do, like the word “greatful” in the example above. So if the crooks do make a blunder, such as writing 50$ when in your country the currency sign comes first, making a mess of their own phone number, or using clumsy or unnatural language, don’t let them get away with it. Treat it with doubt unless everything checks out!
More industry comments:
Michael Borohovski, Director of Software Engineering at Synopsys Software Integrity Group: Given that numerous high-profile Twitter accounts were compromised as part of this attack -- accounts that would presumably be protected by multifactor authentication and strong passwords -- it is highly likely that the attackers were able to hack into the back end or service layer of the Twitter application. Indeed, some of the accounts (Tyler Winklevoss, for example) have confirmed they were using multi-factor authentication and got hacked anyway. If the hackers do have access to the backend of Twitter, or direct database access, there is nothing potentially stopping them from pilfering data in addition to using this tweet-scam as a distraction, albeit a very profitable one. We haven't seen data on this, and won't until a post-mortem is released by Twitter, but it's a possibility.
Tim Mackey, Principal Security Strategist at the Synopsys Cybersecurity Centre (CyRC): The Twitter hack demonstrated the real risks when employees have the ability to impersonate users. In this case, Twitter has disclosed that their hack originated with a social engineering attack targeting key employees with administrative access to the tweet streams of verified users. Given the importance some place on the tweets of celebrities and elected officials, we’re lucky that the attackers chose to demonstrate their abilities by soliciting Bitcoin. In effect, the reality that attackers define the rules of their attacks oddly worked in societies‘ favour. For those businesses who believe they have fully fleshed out threat models for attacks, I would recommend using this Twitter hack as a template to validate whether your models are complete. For Twitter users who are contemplating how best to manage their account, it’s best to wait for the Twitter team to disclose when they are confident the attackers haven’t left any rogue software behind.
Nischal Shetty, CEO & Founder, WazirX:Even though Twitter accounts have been hijacked in the past, today’s attack happened at an unprecedented scale. It was a sophisticated and coordinated social engineering attack performed on Twitter employees with administrative access to internal dashboards.Bitcoin’s decentralised nature, there’s no central server, and everything is pretty transparent. Security is the fundamental concept behind Bitcoin, and this make it incredibly hard to hack Bitcoin blockchain. The argument of blaming Bitcoin is flawed because all transactions are publicly available on the blockchain. Now, everyone in the world knows the wallet address of the hackers. The community has united to block the address of the bad actors. If they move the BTC from one wallet to another, everyone would know. Moreover, as soon as they try to cash out of it, they are going to be in big trouble. The reason the scammers were able to collect a huge funds from users is because of greed for free money. This is a good time for the community to learn from this incident and be more cautious.
Vineet Kumar, Founder, Cyberpeace Foundation: It was a coordinated social engineering attack which targeted certain employees and internal systems at Twitter. The main objective as I see was to run a cryptocurrency scam rather than defame the verified profiles. From what I understand such similar scams are running across Youtube as well where scammers try to get people to buy cryptocurrency. What is worrying is that verified public accounts often have the highest levels of security-enabled but despite that this happened. I recommend that every user should have 2-factor authentication enabled for all social media and other accounts. The biggest challenge with social engineering scams is that their messaging seems very realist and from genuine accounts. This is why, before engaging in financial activity or sharing personal information, a user must directly speak to the person involved through a trusted channel.
Cryptocurrency is also a challenge since it becomes very difficult for law enforcement authorities to track down perpetrators. The hackers were apparently using an alias hence their real identity is unknown. This is a big cybersecurity breach and we can expect more such incidents across other platforms especially as people spend more time indoors and companies have work from home policies hence their IT infrastructure may be less guarded and vulnerable to such attacks.This breach is a classic example of the fact that even if the overall IT infrastructure is secure, data can be breached.
Dmitry Bestuzhev, Cybersecurity expert at Kaspersky: This major scam flags the fact that we are living in the era when even people with computer skills might be lured into a scammers trap, and even the most secure accounts can be hacked. To our estimates, within just two hours at least 367 users have transferred around 120,000 dollars in total to attackers. Cybersecurity is undoubtedly one of the top priorities of all major social media platforms, and they put efforts in preventing many attacks every day. However, neither website or software is entirely immune to bugs, nor is the human factor immune to mistakes. Therefore any native platforms might be compromised. Today we see how, along with new attack vectors, scams combine old and effective techniques, to use a surprise element and gain people’s trust to facilitate the attack and lure victims into a trap. For instance, it might be a mixture of supply chain attacks with social engineering. In addition, the threat actors might gain access to the victim's account in other ways: for instance, it can be penetrating a third-party app with access to the user’s profile, or users password might be brute-forced.