Twitter accounts of prominent US personalities have been compromised on Wednesday, according to reports.
High profile accounts including those belonging to Barack Obama, Joe Biden, Jeff Bezos and Elon musk among others, were the targets of a hack offering fake bitcoin deals.
The compromised accounts have all posted similar messages on Twitter, which asks people to send bitcoins and then promised to double all payments to a Bitcoin address for the next 30 minutes.
According to Twitter, employees with access to its internal systems had been successfully compromised by hackers. The company then said that the hackers “used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf.”
Twitter then took extraordinary steps to mitigate the impact of the attack by stopping many verified accounts marked with blue ticks from publishing tweets altogether.
Password reset requests for these accounts have also been denied and some other “account functions” disabled.
The social media giant’s chief executive Jack Dorsey earlier said that they are diagnosing the problem and have pledged to share everything they can once they have a more complete understanding of exactly what happened.
Tough day for us at Twitter. We all feel terrible this happened.
We’re diagnosing and will share everything we can when we have a more complete understanding of exactly what happened.
💙 to our teammates working hard to make this right.
— jack (@jack) July 16, 2020
Cybersecurity experts have shared some insights into this high profile cybersecurity incident and have offered top advice on how end-users can avoid falling victim to such attacks. Here’s what they have to say…
Morey Haber, CTO & CISO, BeyondTrust
The attack on Twitter verified accounts, used a classic spear fishing attack technique to allow threat actors into the Twitter environment and access to specialized administrative tools that have unrestricted access to accounts. While the attack itself is not special, nor some elaborate zero day threat, the ramifications of personnel within Twitter having such tools and access to high profile accounts is a serious concern. Consider the following:
- How did Twitter secure a tool that has unencrypted access to high profile accounts?
- Why does such a tool exist that allows postings by a third-party to a verified account?
- What other access did the threat actors have to the high-profile accounts, including their profile, account information, and even direct messages?
- Why didn’t their security solutions detect third-party access to verified accounts by an internal resource?
- With the announcement of Twitter allowing users to work from home, how are they going to safeguard these tools from future remote access attacks?
- Was the phishing attack on the user using single factor or multi factor authentication?
- Does the tool only work in the Twitter environment, or were the threat actors able to exfiltrate it for a future attacks and reserve engineer its operations?
- What authentication and authorisation model is applied to the tool in question?
- What steps and processes are being implemented to prevent this type of attack in the future?
These are just a few questions that will need to be answered in the next few weeks and Twitter will need to respond appropriately in order to safeguard their users, data, and ensure the integrity of their platform.
Sam Curry, Chief Security Officer, Cybereason
Twitter is garnering headlines today, but they aren’t the first and won’t be the last social media platform to suffer a breach. Today, many brands and people are immune to embarrassment around cyber: it’s a teflon effect. In this case, the celebrities and figure heads’ reputations and brand strength are being abused; but they aren’t exhibiting arrogance, over confidence and most importantly don’t appear to have done anything wrong.
Unless this Twitter attack is the first punch in a one-two punch sequence, this is likely to fade away from the headlines pretty quickly. The real question is the damage to trust for Twitter and whether that will stick and also the real motivation of those behind the incident: do they have an agenda and if so, what will the second punch look like?
In the case of Twitter, the key will be to be perceived as a hero and not a villain. Companies can’t be victims, and the way to emerge a hero is to be transparent, to be consistent, to demonstrate improvements, to lean into doing the right thing and protecting users and customers. While there are no guarantees, this is the formula even in the case of an Achilles Heel type of exploit or vulnerability. Intelligent and motivated opponents and insiders pop up in places that are neither expected nor predictable; but the contingencies to contain their damage, reducing the likelihood of incidents, ensuring lessons learned rather than merely observed and being ready with the right business processes and reflexes are the name of the game.
Francis Gaffney, Director of Threat Intelligence and Response, Mimecast
Based upon Twitter’s response, it would appear this was the result of a so-called social engineering attack. Social engineering attacks are usually quite sophisticated, and can involve substantial pattern-of-life analysis, including research of the target to craft specific bespoke lures, such as websites and tailored emails – referred to as pattern-of-life-analysis. The threat actor studies the target’s online presence, including their use of social media, to identify social and family networks, favourite restaurants, hobbies, sporting or musical interests. The majority of these attacks are carried out for financial gain, as is the case with this one.
Human error is required for these attacks to be successful, which highlights the importance of regular cyber awareness training to increase employees’ knowledge about such methodologies used by threat actors. Our State of Email Security report found only 34% of organisations in the UAE provide awareness training on an ongoing basis, leaving businesses increasingly vulnerable. At the same time, appropriately managed access controls for administrative or supervisory accounts can assist in preventing the escalation of privileges, or abuse of permissions, that this particular attack relied upon. These need to change to prevent further successful attacks such as this one, that can have massive reputational damage for any company.
Benjamin Carr, CISO, Qualys
The account hijackings on Twitter have raised questions of how it could have happened to the popular social media platform and who the actual target might have been. As a result, many users of social media platforms are wondering if their own accounts are safe.
The initial information would seem to indicate that the compromise was based on a hacker using social engineering to gain access to internal systems through an employees’ account. The hacker then used this account to access an admin tool within the Twitter system that allowed him to take control of the user accounts and lock them out from accessing or modifying their own accounts.
While the initial activity was limited to selling vanity accounts, it quickly migrated into a scam to obtain bitcoin from followers of high profile accounts, by asking those followers to pay $1000 for $2000 in return — as always, if it seems too good to be true, it always is. Within a few hours over $100,000 had been generated by followers who fell prey to the scam.
We know what happened but to answer how this could happen will likely take some time before details can be confirmed. What we do know is that far too few organizations are still operating critical systems and access to those systems without Multifactor Authentication (MFA) in place. At the same time, these organizations aren’t taking basic hygiene seriously and patching systems that are known to be vulnerable. If the initial reports ae true, then we also know that Twitter has the capability and tooling to allow employees to take ownership of accounts and issue tweets on their behalf.
This may be one of the most concerning revelations to come to light. Why would Twitter maintain the ability for employees to control users accounts and has anyone internally used this ability before. While the hack was very public, if the true intention of the hacker was actually targeted at the celebrity accounts then it would not have been done so publicly and would have happened in a way to cause more damage. This was a quick digital smash and grab, an attempt to generate money, but it could have been far worse.
Social media platforms have an elevated responsibility to ensure the security of the system to protect the integrity of the discourse. Its incumbent on all of us to realize if it is too good to be true, it probably is.
Paul Ducklin, principal research scientist, Sophos
Many prominent, verified Twitter accounts have been tweeting out cryptocoin scams, with fake tweets reported from an eclectic range of high-profile people and companies, apparently including Joe Biden, Elon Musk, Barack Obama, Bill Gates, Apple and many others.
The scam tweets reportedly included catchy – if highly unlikely – messages such as “Feeling greatful [note spelling blunder], doubling all payments made to my Bitcoin address,” urging people to pay out $1000 and get $2000 back.
Of course, it’s all a pack of lies – after all, if someone already had $1000 to gift you, why wouldn’t they just send it to you, instead of making you pay in $1000 first and then giving you your money back plus another $1000?
Nevertheless, these tweets really did come from verified accounts, so you can see why people might fall for this – it’s not like receiving an email that is signed off “Elon Musk” if the tweet genuinely seems to have come from his account.
Twitter has taken the unusual but understandable step of closing down parts of its service while it investigates, and its own support account has just tweeted to say that the company is “continuing to limit the ability to Tweet, reset your password, and some other account functionalities while we look into this:
Until we know exactly how these scam tweets were sent, it’s difficult to suggest what actions you might take, particularly given that access to services such as password changes (and presumably also changing details such as two-factor authnetication numbers) is being restricted.
However, these scammers will only succeed if people fall for their unlikely messages – which rely on people suspending their disbelief simply because the tweet comes from a celebrity or someone they are inclined to trust.
What you need to know
So, you can nevertheless protect yourself by following these three simple steps:
- If a message sounds too good to be true, it IS too good to be true.If Musk, Gates, Apple, Biden or any well-known person or company wanted to hand out huge amounts of money on a whim, they wouldn’t demand that you hand them money first. That’s not a gift, it’s a trick, and it’s an obvious sign that the person’s account has been hacked. If in doubt, leave it out!
- Cryptocurrency transactions don’t have the legal protections that you get with banks or payment card companies.There is no fraud reporting service or transaction cancellation in the world of cryptocurrency. Sending someone cryptocoins is like handing over banknotes to in an envelope – if they go to a crook, you will never see them again. If in doubt, don’t send it out!
- Look out for any and all signs that a message might not be real.Crooks don’t have to make spelling mistakes or get important details wrong, but often they do, like the word “greatful” in the example above. So, if the crooks do make a blunder, such as writing 50$ when in your country the currency sign comes first, making a mess of their own phone number, or using clumsy or unnatural language, don’t let them get away with it. Treat it with doubt unless everything checks out!
Satnam Narang, Staff Research Engineer, Tenable
Several notable Twitter accounts in the cryptocurrency space have seemingly been hacked in a mass coordinated attack, including exchanges like @Coinbase, @Binance, @Gemini, @KuCoin, @Bitfinex, CEOs and founders like @CZ_Binance, @JustinSunTron, @SatoshiLite, cryptocurrency accounts like @TronFoundation, to promote a COVID-19 cryptocurrency giveaway scam.
The accounts tweeted that they “partnered with” a company called CryptoForHealth. The domain for this website was registered on July 15. The website itself claims that, to help with the hard times endured by COVID-19, they’re partnering with several exchanges to provide a “5000 Bitcoin (BTC) giveaway” which is a ruse for advanced free fraud.
In separate but related attacks, the verified accounts of Bill Gates, Elon Musk and Uber were also compromised to promote a cryptocurrency giveaway. Their tweets used the same Bitcoin address we observed on the CryptoForHealth site, indicating that this is likely a coordinated attack.
The hackers ask users to send anywhere between 0.1 BTC to 20 BTC to a designated Bitcoin address and that they’ll double victims’ money. This is a common scam that has persisted for a few years now, where scammers will impersonate notable cryptocurrency figures or individuals. What makes this incident most notable, however, is that the scammers have managed to compromise the legitimate, notable Twitter accounts to launch their scams. Because the tweets originated from these verified accounts, the chances of users placing their trust in the CryptoForHealth website or the purported Bitcoin address is even greater. This is a fast moving target and so far over $50,000 has been received by the Bitcoin address featured on the CryptoForHealth website and in Elon and Bill Gates’ tweets. We strongly advise users never to participate in so-called giveaways or opportunities that claim to double your cryptocurrency because they’re almost always guaranteed to be a scam.
Battista Cagnoni, Senior Consultant, Advisory Services – Vectra
Rogue insider or duped employee aside the illegitimate use of administration tools by legitimate users is challenging to detect, which is why privileged access remains a critical attack vector in so many breaches. This high-profile attack on one of the world’s largest social media platforms looks to have limited success in terms of financial gain, but for obvious reasons, has significant impact in terms of visibility and the potential to damage brand reputation. Over the next few hours and days, incident responders will be working hard to scope out the totality of the compromise and looking for any evidence of remote orchestration in case the attackers have been able to penetrate and gain persistence inside Twitter’s systems.