Twitter faced a ‘tough day’ after verified users found themselves embroiled in a Bitcoin scam – all thanks to a disgruntled employee. Do you know how to protect your organisation from such an insider threat?
If you saw something suspicious on your Twitter timeline recently, you won’t have been the only one; chances are, an account you follow was compromised. In an unprecedented attack, sophisticated cybercriminals seized control of several high-profile accounts – yes, that means your favourite celebrities, politicians, and household brands found themselves being hijacked. The mission? To lure users into a Bitcoin scam.
Already being referred to as “the great Twitter hack” due to its huge scale, hackers gained access to the inner workings of Twitter, and used this access to hijack the accounts of public figures and established companies, taking advantage of the social authority and reach available. Each account would then tweet out something akin to the following:
Twitter initially struggled to contain the incident for two hours, but did confirm the attack via its support page. The social media giant took direct action by preventing verified accounts from tweeting at all, resulting in considerable backlash from confused users. Twitter has since lifted this ban, and is working to get things back to normal ASAP, but this incident has definitely called Twitter’s security practices into question.
Unfortunately, many users fell for this scam and lost an eye-watering $115,000 in total to these cybercriminals. Coinbase, a popular Bitcoin exchange, has since blocked users from sending money to the Bitcoin address that these hackers were using, but by then the money had already been pocketed. Twitter CEO Jack Dorsey tweeted yesterday evening that it had been “a tough day.”
How Did They Do it?
While it was initially assumed that hackers found their way into Twitter via a targeted social engineering attack on the company’s employees, it’s since been revealed that the hackers had paid off a Twitter employee who willingly gave them access to the tech giant’s internal tools.
While Twitter has yet to elaborate on what tools were accessed to facilitate the attack, reports suggest a disgruntled Twitter employee agreed to change the email addresses of several popular accounts, paving the way for unbridled access. Meanwhile, underground hacking circles are seemingly backing these claims with screenshots demonstrating the transaction.
What Are Malicious Insiders?
Malicious insiders (AKA Internal Threats) can be current or former employees, contractors, or any kind of business associates who have legitimate access to your organisation’s systems and data, and who use this power for malicious purposes.
These nefarious parties use the access they are given to steal, destroy, or sabotage data and systems. In this instance, the malicious insider collaborated with hackers to cause serious reputational damage to their employer and several public figures, as well as take money from countless users via a merciless scam.
When discussing staff and cybersecurity, the conversation often revolves around educating well-meaning staff so that they don’t accidentally put your data at risk by falling for phishing scams, visiting risky websites, or relying on Shadow IT. The difference with malicious insiders is that they put your data at risk on purpose. This could be down to a number of factors, including revenge, coercion, ideology, or (in this case) simply seeking financial gain.
Detecting Internal Threats
It’s not a pleasant thought, but there could be malicious insiders within your organisation right now. So how do you weed them out? Here are some things to look out for:
- Suspicious activity at unusual times
- Excessive downloading of data
- Unusual logins, especially numerous failed admin login attempts
- Repeated use/attempted use of unauthorised apps or other resources
- Unusual employee behaviour
Protecting Your Organisation from the Inside
First things first, rely on trusted managers and your own keen eye to spot suspicious employee behaviour. Thankfully, though, you won’t have to rely entirely on intuition, as there are some nifty tech solutions that can help.
A Security Information and Event Management (SIEM) solution like Microsoft Azure Sentinel can be your eyes and ears. Sentinel uses the data collected by your current cybersecurity measures to spot unusual behaviour, such as sudden user profile changes, invalid login attempts, altered or deleted objects, and other suspicious abnormalities. This empowers your team to assess disturbances and act on them quickly, stopping malicious insiders in their tracks.
Elsewhere, it’s possible to limit user access via a Privileged Access Management (PAM) solution. By ensuring that users have the minimal amount of access they need to perform their jobs, the number of users that have access to sensitive corporate information can be restricted. This also helps to narrow down the list of suspects, should the worst happen.
The final piece of the puzzle is, of course, staff satisfaction. Disgruntled employees are more likely to hold a grudge and seek revenge for any perceived grievances they’ve suffered. Promote cultural changes within your workplace, educate your employees around security issues, and ensure that HR handles any complaints sensitively. Robust security isn’t just about know-how, but also about attitudes and beliefs.
While Twitter recovers from their tough day, the unaffected can breathe a sigh of relief – although this incident will surely have rocked the social media giant to the core, there’s a lesson or two that both organisations and users can learn from Twitter’s misfortune.
For more information on how you can avoid a ‘tough day’ using Microsoft technology to protect your organisation against internal threats, please contact a member of our dedicated team.