The attackers exploited the human factor to gain access to Twitter’s internal systems and the accounts of some of the world’s most prominent figures
Twitter – still recovering from the recent brazen breach where miscreants hijacked 130 accounts belonging to prominent figures and used the handles to peddle a bitcoin scam – has now shed some light on the circumstances leading up to the incident.
In a typical spear phishing attack, a criminal masquerades as a trusted entity and sends a tailored email or instant message to a well-researched target in order to steal the victim’s sensitive information, such as login credentials or financial information, or to deliver malware.
In Twitter’s case, the incursion seems to have involved phone calls and happened in multiple phases. “Not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access our internal systems and gain information about our processes. This knowledge then enabled them to target additional employees who did have access to our account support tools,” said the social media giant.
We’re sharing an update based on what we know today. We’ll provide a more detailed report on what occurred at a later date given the ongoing law enforcement investigation and after we’ve completed work to further safeguard our service. https://t.co/8mN4NYWZ3O
— Twitter Support (@TwitterSupport) July 31, 2020
The attackers then leveraged these credentials to access the tools they needed for their grand scheme – infiltrating 130 accounts, tweeting from 45, accessing the direct messages (DMs) of 36, and downloading data from seven. The company described the attack as a “significant and concerted attempt to mislead certain employees and exploit human vulnerabilities.”
Twitter went on to say that in light of the attack it has revised its security measures and severely limited access to its internal tools and systems, while it investigates the incident further. The company warned that this may lead to a curtailed user experience:
“As a result, some features (namely, accessing the Your Twitter Data download feature) and processes have been impacted. We will be slower to respond to account support needs, reported Tweets, and applications to our developer platform.”
The social media platform also announced that it is working on improving its methods concerning the prevention and detection of inappropriate access and use of its internal tools. Twitter also vowed to continue to conduct company-wide anti-phishing training exercises.
RELATED READING: Would you get hooked by a phishing scam? Test yourself
Shortly after the security breach dating back to July 15th, the hijacked account of Tesla CEO Elon Musk fired off a tweet saying “I‘m feeling generous because of Covid-19. I’ll double any BTC payment sent to my BTC address for the next hour. Good luck, and stay safe out there!”
A spate of similar tweets followed from other hacked accounts, including those of Barack Obama, Joe Biden, Bill Gates and Jeff Bezos, among others. The ploy apparently worked, since one of the cryptocurrency wallets received 12.86 BTC (some US$117,000) over a short span of time.
Shortly after the incident, Motherboard, security journalist Brian Krebs, and the New York Times all published interesting accounts of what led to the breach, complete with testimonies from people allegedly involved in the scheme.