Twitter accounts belonging to some very public figures in the United States have been compromised by hackers promoting a bitcoin scam.
The compromise drew an immediate apology from Twitter CEO Jack Dorsey, and what will worry the firm is that it was a “co-ordinated” attack that targetted Twitter staff “with access to internal systems and tools”. This forced the platform to briefly suspend the accounts of well known people.
Twitter has been compromised before. In 2013 for example Twitter confirmed its systems had been hacked, resulting in the compromise of 250,000 user logins.
The hackers gained control of high profile accounts for a bitcoin scam that requested donations in the cryptocurrency.
“Everyone is asking me to give back,” the tweet from compromised accounts said. “You send $1,000, I send you back $2,000.”
So whose accounts were compromised? From the tech industry Elon Musk, Jeff Bezos and Bill Gates, as well as Apple and Uber were among many prominent US accounts targeted.
Other compromised accounts included Kim Kardashian, Kanye West, Barack Obama, Joe Biden, and Mike Bloomberg.
Readers can view screenshots of the compromised account tweets here.
“Tough day for us at Twitter, “tweeted CEO Dorsey. “We all feel terrible this happened. We’re diagnosing and will share everything we can when we have a more complete understanding of exactly what happened.”
Twitter Support tweeted a series of tweets that offered a bit more information.
“We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools,” it said.
“We know they (the hackers) used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf,” Twitter added. “We’re looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it.”
“Once we became aware of the incident, we immediately locked down the affected accounts and removed Tweets posted by the attackers,” it said. “We also limited functionality for a much larger group of accounts, like all verified accounts (even those with no evidence of being compromised), while we continue to fully investigate this.”
Twitter also said that it has taken “significant steps to limit access to internal systems and tools while our investigation is ongoing.”
The compromise of internal systems at Twitter has led to warnings from security experts around the world.
“This appears to be the biggest hack involving a social media platform yet, and it was carried out with good old fashioned social engineering at the heart of it,” said Jake Moore, cybersecurity specialist at ESET.
“Rather than going for the account holders themselves, the hackers went for the source and decided to hijack a number of twitter employees who are granted unprecedented access into any account they choose,” said Moore.
“Acting like a help desk, these employee accounts were enabled to use a specific admin tool and do whatever they wanted, which is likely to be a problem for many businesses,” he added. “Some organisations lend an incredible amount of trust to certain employees. However, although they may be trusted to not compromise an account themselves, it must be taken into consideration that the employees could be targeted by criminal hackers.”
“This appears to be a huge combination of unfortunate errors involving targeted employees,” said Moore. “Working from home is also likely to have added a further strain, as it can make social engineering attacks much easier to fall for when there is not a local soundboard sitting next to you.”
“Although changing account passwords would be a good idea, it wouldn’t have been enough to stop this hack,” he concluded. “Make sure you check your email address is still the one connected to your account. The real awareness, however, lies in educating Twitter users to use caution. When a message like this seems too good to be true, it probably is, regardless of who has posted it. Bitcoin doubling schemes are synonymous with the criminal fraternity and must be avoided and reported where possible.”
This warning about the vulnerabilities associated with staff during the Coronavirus pandemic was picked up by another security expert.
“The biggest and most technically adept companies in the world continue to become victims of these types attacks for one reason – a lack of awareness among employees, enabling hackers to access infrastructure by preying on human vulnerabilities,” said Stuart Reed, UK director at Orange Cyberdefense.
“Since the outbreak of Covid-19 we have seen numerous examples of hackers capitalising on the crisis by using social engineering attacks to trick their way into corporate systems,” said Reed. “The fact that so many employees have been working from home has increased the risk of social engineering – an increased dependence on ‘virtual’ communications like email, video conferencing and calls, renders users more vulnerable to social engineering attacks.”
“Technical countermeasures against phishing attempts and detecting malicious activities today are much more robust than they have been in the past,” said Reed. “The human, on the other hand, is more complex and hard to predict in certain scenarios while easy to manipulate in others. Security awareness educates employees about manipulative techniques that might be used against them and also highlights the benefits of adapting their information security behaviour. Building resilience towards social engineering attacks provides a significant line of defense.”
Another expert also weighed on the social engineering angle of this attack.
“After initially looking like successful social engineering of some key insiders enabled this external hack, there is some talk that more ‘traditional’ methods were used to buy inside cooperation and access to the admin tool that allowed takeover of high profile accounts,” said David Higgins, EMEA technical director at CyberArk.
“Either way, it shows that hackers will always target the privileged access and rights of insiders,” said Higgins. “In some cases this is through identity takeover but it’s possible that in this case we see an example of the malicious insider at work. The clear lesson is that this demonstrates the importance of placing strong controls and monitoring over those users that have privileged access to key systems and services.”
Another security expert discussed the sophistication of the hackers, who had setup a domain by claiming to partnering with a firm allegedly set to help those struggling financially during the Coronavirus pandemic.
“The accounts tweeted that they “partnered with” a company called CryptoForHealth,” said Satnam Narang, staff research engineer at Tenable. “The domain for this website was registered on July 15. The website itself claims that, to help with the hard times endured by Covid-19, they’re partnering with several exchanges to provide a “5000 Bitcoin (BTC) giveaway” which is a ruse for advanced free fraud.”
“In separate but related attacks, the verified accounts of Bill Gates, Elon Musk and Uber were also compromised to promote a cryptocurrency giveaway,” said Narang. “Their tweets used the same Bitcoin address we observed on the CryptoForHealth site, indicating that this is likely a coordinated attack.”
“The hackers ask users to send anywhere between 0.1 BTC to 20 BTC to a designated Bitcoin address and that they’ll double victims’ money,” said Narang. “This is a common scam that has persisted for a few years now, where scammers will impersonate notable cryptocurrency figures or individuals. What makes this incident most notable, however, is that the scammers have managed to compromise the legitimate, notable Twitter accounts to launch their scams.”
Another expert warned that although this started with a social engineering attack, hackers seems to have done their homework on how Twitter’s internal systems worked.
“Although this incident started with a social engineering attack, this is just the beginning,” cautioned Ed Bishop, CTO at Tessian. “Once someone’s account has been compromised, an attacker will often launch a horizontal attack within the organisation to compromise more internal accounts, until they reach the account with the permissions they need.
“The attacker must have either known Twitter’s systems, or spent time poking around, to learn how to backdoor into people’s accounts and tweet on their behalf,” said Bishop.
“Twitter’s description of the attack highlights the need to protect people within an organisation at all costs,” said Bishop. “Social engineering attacks – often a spear phishing email that impersonates a trusted party – are designed to trick or persuade an employee to visit a fraudulent website that then steals credentials, or installs malware. This incident also shows the importance of limiting permissions for administrators.”
Another expert noted that the hackers understand human nature and looked to exploit it.
“While the origins and scope of this pervasive attack are under investigation, the coordinated Bitcoin giveaway scam itself was designed to convince millions of Twitter followers to believe the fraudulent tweets, click the link, and pay Bitcoin,” noted Loïc Guézo, senior director of cybersecurity strategy at Proofpoint.
“People are still a main focus for threat actors, even in scenarios where a system is possibly compromised,” said Guézo. “The social engineering featured in this scam demonstrates that the attackers targeted Twitter employees with access to internal tools and preyed on the trust associated with verified accounts and the attraction of doubling your money.”
“To make the scam seem more authentic, they even set a time limit and an easy payment option to drive a swift response,” said Guézo. “Threat actors understand human nature and are unrelentingly focused on taking advantage of our society’s trust in digital channels.”
Another expert noted that the responsibility for this hack rested with Twitter itself, and not the compromised users. But he provided some salient advice for Twitter users going forward.
“This was the biggest security breach in Twitter’s history, but ordinary users were not affected by it at all – unless they fell for the scams posted by the hacked celebrities,” said Mikko Hyppönen, chief research officer at F-Secure.
“The way this hack was done also means that there’s nothing any users could have done to prevent it from happening,” said Hyppönen. “Regardless, it’s always a good idea to lock down our accounts: use strong, unique passwords via a password manager; enable two-factor authentication; use a unique email address for important accounts.”
“And remember to monitor your account for weird activity,” said Hyppönen. “You should pay attention especially if you get an email about unusual access, attempts to change your email address or disable two-factor authentication, or just if you see repeated failed logins.”
“In the end; this could have been much worse,” said Hyppönen. “Twitter is big and important people have large amounts of followers there – but even Snapchat and Reddit have more users than Twitter. The real gorillas in social media are Instagram, YouTube and Facebook.”
“And the attack could have done far worse things than try to scam Bitcoins out of people; the attackers had access to everything,” concluded Hyppönen. “They could have done anything on Twitter. They could have started tweeting weird things in the names of the US Presidential candidates during the voting this November, for example.”
How well do you know Twitter? Try our quiz!