Twitter faced a ‘tough day’ after verified users found themselves embroiled in a Bitcoin scam – all thanks to a targeted social engineering attack on Twitter’s own employees.
If you saw something suspicious on your Twitter timeline recently, you won’t have been the only one; chances are, an account you follow was compromised.
In an unprecedented attack, sophisticated cybercriminals seized control of several high-profile accounts – including your favourite celebrities, politicians, and household brands – hijacking them in an effort to lure users into a Bitcoin scam.
Already being referred to as “the great Twitter hack” due to its huge scale, hackers gained access to the inner workings of Twitter, and used this access to assume control of the accounts of public figures and established companies, taking advantage of the social authority and reach available. Each account then tweeted out something akin to the following:
Twitter initially struggled to contain the incident, but did eventually confirm the attack via its support page. The social media giant took direct action by preventing verified accounts from tweeting at all, resulting in considerable backlash from confused users. Twitter has since lifted this ban, and is working to get things back to normal ASAP, but this incident has definitely called Twitter’s security practices into question.
Unfortunately, many users fell for this scam and lost an eye-watering $115,000 in total to these cybercriminals. Coinbase, a popular Bitcoin exchange, has since blocked users from sending money to the Bitcoin address that these hackers were using, but by then the money had already been pocketed. Twitter CEO Jack Dorsey tweeted yesterday evening that it had been “a tough day.”
How Did They Do it?
While it was initially reported that hackers found their way into Twitter’s systems via a disgruntled employee, the tech giant later released a statement explaining that it had actually fallen victim to a targeted spear phishing attack.
Here’s a snippet from Twitter’s statement, explaining exactly what happened:
“The social engineering that occurred on July 15, 2020, targeted a small number of employees through a phone spear phishing attack. A successful attack required the attackers to obtain access to both our internal network as well as specific employee credentials that granted them access to our internal support tools.
Using the credentials of employees with access to these tools, the attackers targeted 130 Twitter accounts, ultimately Tweeting from 45, accessing the DM inbox of 36, and downloading the Twitter Data of 7. “
What is Spear Phishing?
Spear phishing is a particular type of social engineering scam that involves sending emails to specific and well-researched targets while masquerading as a trusted sender. Under this guise, the scammer is able to mislead employees in order to gain access to internal systems, infect devices with malware, or steal sensitive corporate data.
While email spear phishing scams are quite common, an increasing threat is phone spearing – where scammers target an employee’s mobile device using social engineering techniques. Twitter was unlucky enough to fall victim to this particular type of attack, with a number of its employees being targeted via their smartphones.
Bring Your Own Danger
As mobile devices become an integral part of every employee’s personal and professional lives – especially now that so many are working from home – phishing attacks are evolving.
Many organisations are embracing the concept of the modern workplace, a big part of which is making data accessible to staff remotely. Smartphones and tablets – whether company issued or BYOD – provide employees with the flexibility they need to remain productive during these uncertain times, but the downside is that they’re a lucrative target for scammers who want to get their hands on corporate data.
With a smartphone’s smaller screen comes a simplified user experience. Users may not always be able to see an email or SMS sender’s address, or the full links that are sent to them, so how can they verify their legitimacy? Many of us tend to trust our phones implicitly, interacting with these devices with less caution compared to an office computer. As a result, users are three times more likely to click on a malicious URL on a mobile device.
Hackers are exploiting the trust we have in our devices, and that – coupled with the way mobile phones and tablets inadvertently mask some of the tell-tale signs of a phishing scam – is a recipe for disaster.
Tuning into Secure Working
As the way we work changes and hackers become more sophisticated, robust security solutions have arisen to protect organisations across all potential attack surfaces, including mobile devices.
To keep smartphones safe, you need a well-defined mobile management strategy that fits the needs of your organisation. That means empowering your security team to protect data, detect malicious actors, and keep an eye on Shadow IT, while also allowing employees the flexibility to do their jobs productively. Enter Microsoft Intune, a mobile device management solution that allows you to mitigate risk, while also safeguarding employee productivity.
When meeting the threat of phishing specifically, our partners at Lookout reign supreme. Your organisation may have already invested in email security protections and spam filters, but increasingly, sophisticated phishing attempts are bypassing these blockades. Lookout’s phishing and content protection tools are designed to defend devices against advanced social engineering threats, using artificial intelligence to provide comprehensive protection on both Android and iOS devices.
It only takes one wayward tap to compromise a mobile device – and in Twitter’s case, that mistake proved to be costly to their reputation, raising privacy and security concerns for its millions of social media users.
While Twitter continues to recover from their tough day, the unaffected can breathe a sigh of relief – although this incident will surely have rocked the social media giant to the core, there’s a lesson or two that both organisations and users can learn from Twitter’s misfortune.
Please Note: the original article has been edited to include new information regarding the employee’s actions.
For more information on how you can avoid a ‘tough day’ using Microsoft technology to protect your organisation against internal threats, please contact a member of our dedicated team.