In a massive Twitter hack, several high-profile accounts were compromised on Wednesday. Elon Musk, Joe Biden, Jeff Bezos, Michael Bloomberg, Kim Kardashian West and Bill Gates were among the accounts pushing out tweets claiming that followers will receive double the money they send to a certain Bitcoin address.
Twitter confirmed the breach and said it was a “co-ordinated social engineering attack” on its employees that had access to “internal systems and tools”.
To reduce any further impact, Twitter has limited certain account functionalities following this massive social media hack. Twitter said in a series of tweets that it was a “co-ordinated” attack targeting its employees “with access to internal systems and tools”.
The attacks started with Twitter accounts of prominent cryptocurrency companies and then broadened its reach to some of the most prominent and influential companies and individuals. The accounts hacked in the first wave include exchanges like @Coinbase, @Binance, @Gemini, @KuCoin, @Bitfinex, CEOs and founders like @CZ_Binance, @JustinSunTron, @SatoshiLite, cryptocurrency accounts like @TronFoundation.
Satnam Narang, staff research engineer, Tenable said that the accounts tweeted that they “partnered with” a company called CryptoForHealth and that the tweets in both incidents used the same Bitcoin address.
Cybersecurity experts claim that the social engineering featured in this scam demonstrates that the attackers targeted Twitter employees with access to internal tools and preyed on the trust associated with verified accounts and the attraction of doubling your money.
Social engineering attacks are usually quite sophisticated and can involve substantial pattern-of-life analysis, explained Francis Gaffney, director of threat intelligence and response, Mimecast. “This includes research of the target to craft specific bespoke lures, such as websites and tailored emails – referred to as pattern-of-life-analysis. The threat actor studies the target’s online presence, including their use of social media, to identify social and family networks, favourite restaurants, hobbies, sporting or musical interests,” he added.
The ramifications of personnel within Twitter having such tools and access to high profile accounts is a serious concern.
Loïc Guézo, senior director of cybersecurity strategy, EMEA at Proofpoint, added that although the origins and scope of this pervasive attack are under investigation, this co-ordinated Bitcoin giveaway scam was designed to convince followers to believe the fraudulent tweets and pay Bitcoin.
Tweets from official accounts of Barack Obama, Joe Biden and Kanye West requested donations in cryptocurrency.
While there remain several questions around the security of social media platforms, Morey Haber, CTO & CISO, BeyondTrust explained how this attack was carried out. “This attack on Twitter verified accounts used a classic spear-phishing attack technique to allow threat actors into the Twitter environment and access to specialised administrative tools that have unrestricted access to accounts.”
The ramifications of personnel within Twitter having such tools and access to high profile accounts is a serious concern. Haber added that Twitter will need to respond appropriately to safeguard their users, data and ensure the integrity of their platform.
What is worrying is the fact that cryptocurrency transactions do not have the legal protections that you get with banks or payment card companies, added Paul Ducklin, principal research scientist, Sophos. “There is no fraud reporting service or transaction cancellation in the world of cryptocurrency. Sending someone crypto coins is like handing over banknotes to in an envelope – if they go to a crook, you will never see them again.”
Over the next few hours and days, incident responders will be working hard to scope out the totality of the compromise, looking for any evidence of remote orchestration in case the attackers have been able to penetrate and gain persistence inside Twitter’s systems.
Battista Cagnoni, senior consultant, Advisory Services – Vectra adds, “Rogue insider or duped employee aside the illegitimate use of administration tools by legitimate users is challenging to detect, which is why privileged access remains a critical attack vector in so many breaches. This high-profile attack on one of the world’s largest social media platforms looks to have limited success in terms of financial gain, but for obvious reasons, has a significant impact in terms of visibility and the potential to damage brand reputation.”
