Twitter last week allowed scammers to tweet an appeal for Bitcoin on behalf of some of its biggest names, including Barack Obama and Michael Bloomberg, showing how human weakness can be exploited to potentially devastating effect.
ANALYSIS: Social media has never seen a ‘hacking’ disaster as serious as what hit Twitter last week.
Last Thursday, the Twitter accounts of numerous high profile politicians, celebrities and even leading US companies, posted rather peculiar tweets to their tens of millions of followers.
Any unsolicited request to transfer Bitcoin should always raise a red flag with internet users. Bitcoin is the favoured currency of hackers and scammers. But here we had billionaire philanthropists Mike Bloomberg and Bill Gates, the rapper Kanye West and even titans of industry like Uber and Apple wanting to “give back to the community” with generous bitcoin payments.
It seemed too good to be true – and it was. Twitter was compromised at a fundamental level that hasn’t been properly explained yet by the company. It wasn’t weak passwords or lax security on the part of those high profile people and organisations that saw their accounts hijacked, it was a critical weakness in Twitter’s own security policies.
“We detected what we believe to be a co-ordinated social-engineering attack by people who successfully targeted some of our employees with access to internal systems and tools,” Twitter explained on Friday, confirming that 130 people had their accounts exploited.
That sounds relatively minor. There wasn’t a lot of data stolen and the scam didn’t result in people being millions of dollars out of pocket as with ransomeware attacks in the past. But remember that among that unfortunate group of exploited Twitter users are some of the most powerful and influential people in the world. Tweeting supposedly genuine messages from those accounts for malevolent purposes has the potential to do huge damage.
Getting to people
Social engineering. As online platforms and company networks are hardened against cyber attacks, hackers are having to get craftier to gain access to our online accounts, our sensitive data and our bank accounts.
The easiest way for them to do that is to exploit human nature. The key tool in their arsenal is the “phishing” attack, which can come in the form of an innocent-looking email, apparently sent from a colleague, asking for sensitive information to be revealed. on Saturday, Twitter explained on its company blog how social engineering had played a role in the exploit”
“The attackers successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including getting through our two-factor protections,” the company explained.
“As of now, we know that they accessed tools only available to our internal support teams to target 130 Twitter accounts. For 45 of those accounts, the attackers were able to initiate a password reset, login to the account, and send Tweets. We are continuing our forensic review of all of the accounts to confirm all actions that may have been taken. In addition, we believe they may have attempted to sell some of the usernames.”
This is likely what allowed a scammer to gain administrator’s access to Twitter’s system, allowing them to access and control multiple accounts unnoticed. It could actually have been as simple as this: a scammer trawls LinkedIn for profiles of Twitter employees who have job titles indicating they work deep in the bowels of Twitter’s platform.
Then it sends those people emails, using masking techniques to make it appear as though they are genuine company emails asking for log-in details to be updated via a convenient web link embedded in the email.
It is an old trick cyber criminal’s book and it would be hugely embarrassing if Twitter’s security was undone with a simple phishing attack. But it is the most likely explanation.
There is, however, some suggestion that the exploit may actually have been an inside job, with an employee bribed into handing over access to the Twitter dashboard that allows admin staff to control individual accounts. If that’s the case, it is even more vexing for Twitter, which will have to re-evaluate the trust it has in the people who literally have the keys to its kingdom. As big tech companies, Facebook in particular, faces a growing backlash from their own employees over their business activities and policies, the ’employee gone rogue’ scenario is likely to become more common.
Dollars and sense
Either way, the path in was by exploiting human weakness. Someone was either too trusting, too stupid or too greedy and Twitter has suffered major embarrassment as a result. In real terms, it wasn’t a devastating incident.
By tracking payments to the Bitcoin account that was listed for the requested US$2000 transfer, it is clear that only 400 Bitcoins were transferred by duped Twitter users amounting to around $183,000.
The scammers knew they had mere minutes, maybe an hour tops, before account owners and their Twitter followers flagged the suspicious activity.
It could have been much worse. Say, for instance, the scammer had political motives in mind and hijacked dozens of accounts to spread misinformation on the eve of the US Presidential election, something crafted to sow doubt in the minds of Joe Biden supporters. Biden’s account was among those hacked on Wednesday, along with that of Barack Obama, who has 120.7 million followers.
Such a ruse, an attempt at social engineering on a massive scale, could have a major impact on democracy itself, an issue social media companies should be particularly sensitive to in the run-up to the US presidential election. As such Twitter has many questions to answer about the integrity of its platform and what it will do to ensure the accounts of influential Tweeters can’t be hijacked on such a scale again.
There may be other consequences too. Twitter is subject to the General Data Protection Regulation (GDPR) provisions for its activity in the European Union, which dictate that any online platform has to show “appropriate” levels of security. Companies that breach the regulations face stiff fines.
Keep your eyes open
This is a wake-up call for all of the social media platform operators. They risk a huge backlash from users, politicians and regulators if they can’t ensure the security that is required in the fast-moving world of social media.
For the rest of us, it is another important reminder. We are all vulnerable to these social engineering attempts. Be very careful what links you click on in an email, never give out sensitive information, such as user details, password and log-in information over email and always check carefully the email addresses and domain names of websites you receive messages from or are directed to.
If you have multi-factor authentication (MFA), which is offered as a standard feature of Office 365, Gmail, and other email and cloud services, as well as for online banking, make use of it as this will greatly lessen the chance of a rogue actor logging in with account information stolen from you. Twitter had a problem with its two-factor authentication system, which has seen it scramble to fix its security.
And lastly, if you ever see someone tweeting an appeal for you to send them Bitcoin, just block them and report the tweet to Twitter. It’s most likely a scam and probably not worth the risk otherwise.