Last month, three people were charged for hacking roughly 130 Twitter accounts of celebrities, musicians, and politicians, as reported by the Department of Justice Office of Public Affairs. On July 15, the hackers made various high-profile Twitter accounts post links to Bitcoin scams. According to Kate Cox and Dan Goodin of Ars Technica, the scammers received over $117,000. However, what’s remarkable is that a 17-year-old from Tampa, Florida is credited as being the “mastermind” behind it all. Although orchestrating the scheme required both technical and criminal prowess, the massive hack wouldn’t have been possible without the weakest link in any IT infrastructure: humans.
Humans can’t catch computer viruses, but they are highly susceptible to social engineering attacks. Social engineering is about deceiving authorized users into giving privileged information or access rights to attackers. Social engineers often impersonate employees in order to achieve their goal. A basic, non-cyber example of social engineering would be a thief disguised as a maintenance worker who pressures a security guard into giving them clearance so that they could tend to an “emergency.” Spear Phishing, which was explained in a previous blog post, is another form of social engineering. Spear Phishing is often conducted via email, but an official Twitter blog post reveals that targeted employees were called over the phone:
The social engineering that occurred on July 15, 2020, targeted a small number of employees through a phone spear phishing attack. A successful attack required the attackers to obtain access to both our internal network as well as specific employee credentials that granted them access to our internal support tools. Not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access our internal systems and gain information about our processes. This knowledge then enabled them to target additional employees who did have access to our account support tools. Using the credentials of employees with access to these tools, the attackers targeted 130 Twitter accounts, ultimately Tweeting from 45, accessing the DM inbox of 36, and downloading the Twitter Data of 7.
Notice that the attackers worked in steps. Even though the first employees the attackers targeted didn’t have access to account management tools, the attackers learned what they could in order to eventually reach their ideal targets. Kate Cox and Dan Goodin mention that Allison Nixon of the security firm Unit 221b worked alongside the FBI for the Twitter hack investigation, and both Allison Nixon and Mark Rasch of Unit 221b provide an outline of the steps the attackers took to compromise employee accounts. First, the attackers started by gathering the personal information of Twitter employees with tech support roles. The information included home and cell phone numbers gathered from websites such as LinkedIn. Then, the hackers called these employees while impersonating coworkers and tricked them into entering their credentials and one-time pass codes into a fake company VPN portal. While they would enter their information into the fake portal, the attackers would read their information and type it into the real portal in order to bypass multi-factor authentication. Mark Rasch and Allison Nixon note that the targeted employees were vulnerable to these tactics as a result of the COVID-19 lockdown. The employees were working remotely due to COVID-19 and relied “more heavily on their home phone (remember home phones?) or more typically their cell phone.” Due to employees’ “lowered situational awareness” and inability to see coworkers face-to-face, the attackers were able to gain their trust. Sometimes, to make their phishing attempts more convincing, the hackers used spoofed phone numbers. Spoofing is the act of disguising a message so that it appears to come from a legitimate sender, and it can apply to phone numbers, email addresses, and even websites. When the risks of teleworking were covered in a previous blog post, phishing scams were mentioned as one of the top threats to employees. In the case of the Twitter hack, phishing proved to be the greatest threat.
There are several things that can be learned from the Twitter hack. First, although it may have been repeated, humans are the weakest links. Unfortunately, COVID-19 forced employees into an environment that made them more susceptible to social engineering. Second, the data you share on social media can be used against you. Third, hackers will take different steps and combine different tactics, from phishing over the phone to spoofing websites, in order to reach their goal. The fourth and most important lesson is that any hacker—even a teenage one—can be successful if their victims are susceptible to common tactics. IT infrastructures must adapt to the post-pandemic world.