Twitter Hackers Used 'Phone Spear Phishing Attack' to Pull Off Bitcoin Scam

[MacRumors]

Twitter has provided another update on the security breach two weeks ago that saw the Twitter accounts of Apple and other high-profile figures and companies hacked by bitcoin scammers.

According to the company, a small number of employees were targeted in a "phone spear phishing attack," suggesting that hackers called some of its staff and duped them into thinking they were speaking with fellow Twitter employees, leading them to reveal the credentials the hackers needed to access internal account support tools.

The attack on July 15, 2020, targeted a small number of employees through a phone spear phishing attack. This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems.

Twitter previously called the hack a "coordinated social engineering attack" that had targeted some employees with access to internal systems. The internal tools were used to target 130 accounts, and for 45 of those accounts, hackers initiated a password reset and had full access to the account to send tweets.

For the 130 accounts that were breached, which included the accounts of Tesla CEO Elon Musk, former U.S. President Barack Obama, former Microsoft CEO Bill Gates, Amazon CEO Jeff Bezos, presidential candidate Joe Biden, and others, hackers were able to see personal information like email addresses and phone numbers, and for some accounts taken over, additional information was available, including Direct Messages.

https://twitter.com/x/status/1289000138300563457

Following the attack, Twitter temporarily locked accounts for some users and limited features. Most of those features are now back, but some, such as the "Your Twitter Data" download feature, are still not working as usual.

Twitter says it is taking a "hard look" at how it can improve the sophistication of its internal tools and systems, and in the meantime it has significantly limited access to them until it can safely resume normal operations.

Article Link: Twitter Hackers Used 'Phone Spear Phishing Attack' to Pull Off Bitcoin Scam

 

[jchap]

Despite all the sophisticated security measures a company might take, in the end it’s the human factor that brings it all down...

 

[Crowbot]

Despite all the sophisticated security measures a company might take, in the end it’s the human factor that brings it all down...

Right. It's always been easier to convince someone to give you the key than figuring out how to make the key.

 

[JosephAW]

My 80 yr old mother gets calls like this and she doesn't fall for it, what kind of training do they provide for their employees if any?

 

[Crowbot]

My 80 yr old mother gets calls like this and she doesn't fall for it, what kind of training do they provide for their employees if any?

I get them in Chinese now. But I suspect this was a very well planned intrusion. The "Blue Check" accounts need special surveillance.

 

[madmin]

If as reported elsewhere you publish your administrator passwords in a Slack channel with 1200 members some of whom no longer work at Twitter you should expect trouble. Also, Twitter is known for having difficulties dealing with overwhelming technical debt which should have been dealt with beforehand.

This attack could have been much worse.

 

[tridley68]

If it sounds to good to be true than it usually is just common sense

 

[AlexGraphicD]

I call this BS. They’re trying to cover up for something else more insidious.

 

[szw-mapple fan]

My 80 yr old mother gets calls like this and she doesn't fall for it, what kind of training do they provide for their employees if any?

Spear phishing is usually done through email, despite what the article is claiming. They send random emails for password reset and such and people just trust the link and click on them, taking them to a identical looking fake website. That said, employees need better training and their email system need better link protection filters.

 

[mw360]

Looking at the choice of prominent figures they chose to impersonate, they left a lot of money on the table.

Spear phishing is usually done through email, despite what the article is claiming. They send random emails for password reset and people just trust the link and click on them, taking them to a identical looking fake website.

Spear phishing isn't random emails. It's specifically targeting individuals using researched information about the target. It's phishing but with much more precision.

 

[szw-mapple fan]

I get them in Chinese now. But I suspect this was a very well planned intrusion. The "Blue Check" accounts need special surveillance.

The Chinese ones are Chinese scammers trying to get money from Chinese people living abroad and it's been around for 4 or 5 years. They used to target account holders with Chinese names (probably some list from a data breach) but now everyone's getting it.

 

[szw-mapple fan]

Looking at the choice of prominent figures they chose to impersonate, they left a lot of money on the table.



Spear phishing isn't random emails. It's specifically targeting individuals using researched information about the target. It's phishing but with much more precision.

Sorry if my phrasing wasn't clear on that. I meant random as in unsolicited.

The comment I was replying to seem to imply it was some phone scam, which it is not. These seem much more legitimate and as you said, targeted.

 

[spazzcat]

So were they hackers able to get access to their network or do these tools work without being on their network? I can't believe they would not have 2 factors for VPN access...

 

[pweicks]

Wow. Shouldn’t employers for a social media platform like... be good at not falling for scams?

All that BS they said in their statement was basically a big long complicated way of saying, “yeah, our employees fell for a SCAM.”

But they’re gonna call it a “coordinated social engineering attack???” 🤣🤣🤣 It’s a scam, Twitter. Calm down and shut up. The next time my parents fall for one of those phone scammers, I’ll tell everyone, “Yeah, they were victims of a social engineering attack. It was tragic. 😢” Oh my gosh.

I also find it hilarious that thousands of social media accounts get hacked everyday and Twitter never bothers to do anything about it but when you got all these big, bad wealthies gettin hacked then all of a sudden it’s all hands on deck bent over at 90 degrees. 🤣🤣🤣

Ugh, the social media industry is a joke. My brain would turn to mush after one shift of workin in it.

 

[MisterSavage]

I get them in Chinese now.

So do I. I also got an automated call from "Apple" yesterday because they noticed a "security violation". What a time to be alive.

 

[ghostface147]

Was it really hacking though? Did they secretly enter their systems undetected and pulled off this trick without ever talking to anyone? Nope. They hustled some employees and did their thing. Humans will always be the weak link. Maybe they should've had extra layers of protections for accessing the high profile accounts. Like it has to be approved by more than one person to be accessed. The system notices that Lisa wants to access that account for something, but it has to go to Steve for approval. Once he approves, then it goes to Marie for final approval.

 

[Amazing Iceman]

My 80 yr old mother gets calls like this and she doesn't fall for it, what kind of training do they provide for their employees if any?

Your Grandma has Bitcoin? 😁
The messages look legit, because these came from a recognized source.
Unlike emails, where you can check the message header to make sure it's not a spoofed messages, there's no way to check the origin of these Tweets.

Regardless, Twitter has been slacking on security, with a corrupted group of employees abusing their security clearance.
It's going to take a long time for Twitter to gain back the public's trust.

Maybe it's time for a suitable contender to take over.

 

[aajeevlin]

Your Grandma has Bitcoin? 😁
The messages look legit, because these came from a recognized source.
Unlike emails, where you can check the message header to make sure it's not a spoofed messages, there's no way to check the origin of these Tweets.

Regardless, Twitter has been slacking on security, with a corrupted group of employees abusing their security clearance.
It's going to take a long time for Twitter to gain back the public's trust.

Maybe it's time for a suitable contender to take over.

in the year 2020 everyone who is old enough should have the realization that you INFORMATION is out in the open. From your public social life, your personal information and maybe the porn sites you visited. Hell, even the US government OPM got hacked several years ago so yea...

second rule, anytime a reset or ask you to call or click. ALWAYS GO TO THE SOURCE. Official website or back of the credit card. My rule has always been I’m not important enough for any of These site to call me or email me. If they do it’s mostly automatic and no way in hell an official site will put that much information of me on email.

 

[psac]

Wow. Shouldn’t employers for a social media platform like... be good at not falling for scams?

All that BS they said in their statement was basically a big long complicated way of saying, “yeah, our employees fell for a SCAM.”

But they’re gonna call it a “coordinated social engineering attack???” 🤣🤣🤣 It’s a scam, Twitter. Calm down and shut up. The next time my parents fall for one of those phone scammers, I’ll tell everyone, “Yeah, they were victims of a social engineering attack. It was tragic. 😢” Oh my gosh.

I also find it hilarious that thousands of social media accounts get hacked everyday and Twitter never bothers to do anything about it but when you got all these big, bad wealthies gettin hacked then all of a sudden it’s all hands on deck bent over at 90 degrees. 🤣🤣🤣

Ugh, the social media industry is a joke. My brain would turn to mush after one shift of workin in it.

It's not just random calls. They find Joe Smith on LinkedIn, who works in a department at Twitter that sounds like has the access they need. They also find Jane Doe, who works in a totally different department, maybe with a high title. Someone calls Joe, claims to be Jane (or from Jane's office), needing help with blah blah blah, can you reset this password for me because blah blah." Since Jane is a real person they may have heard of, they do it. Probably even easier now with everyone working from home and no way to tell if it's an internal or external phone number calling.

 

[[AUT] Thomas]

Full-Edit: I just briefly read the article earlier which resulted in a misinterpretation... But that makes it even worse. That company needs to strengthen its internal security. What are they using for authentication? Username and password only? That's even questionable on small businesses these days. From tech companies I would expect an NFC Token, USB-Key or something along the lines of that.

 

[Sedulous]

Yeah, leave those backdoors in! /s

 

[hot-gril]

Despite all the sophisticated security measures a company might take, in the end it’s the human factor that brings it all down...

If Twitter is like any big corps I know, sophisticated means complex, and complex means full of difficult-to-find holes, not just in the people factor but in the systems themselves. That and once you have any employee-level access, the insider security is an absolute joke because they couldn't design something that doesn't get in the way of people's work.

But it would still explain things better if they simply had someone on the inside to begin with, which isn't unlikely.

 

[Shirasaki]

I also find it hilarious that thousands of social media accounts get hacked everyday and Twitter never bothers to do anything about it but when you got all these big, bad wealthies gettin hacked then all of a sudden it’s all hands on deck bent over at 90 degrees. 🤣🤣🤣

Probably because those high profile accounts are linked to big corps and Twitter don’t want to cut business relationship with them but regular customers can just kinda ignore either way? Talking about priority here.

 

[Crowbot]

So do I. I also got an automated call from "Apple" yesterday because they noticed a "security violation". What a time to be alive.

I used to get urgent calls that there was something wrong with my Windows PC. When I told them I had a Mac I was transferred to someone who said there was a problem with my Mac. I really feel sorry for the rubes who fall for it.

 

[MisterSavage]

I used to get urgent calls that there was something wrong with my Windows PC. When I told them I had a Mac I was transferred to someone who said there was a problem with my Mac. I really feel sorry for the rubes who fall for it.

One time I was bored and played along. I asked them what my IP address was if they detected an issue. Of course they couldn't tell me but he kept trying to convince me he was legit even though it was clear I wasn't buying it.