Hackers hijack Indian PM Modi’s Twitter account to carry out Bitcoin scam

The recent hacking of Indian Prime Minister Narendra Modi's Twitter account throws fresh questions into how Twitter secures its keys, educates employees about cyber threats, and protects the accounts of millions of users worldwide.

Around midnight on Wednesday, the verified Twitter account of Indian Prime Minister Narendra Modi, which enjoys over 2.5 million followers, was hacked, allowing the hackers to post several messages asking his followers to donate Bitcoin to a wallet address.

"I appeal to you all to donate generously to PM National Relief Fund for Covid-19, Now India begin with cryptocurrency," one of the tweets read. The move was certainly an attempt to leverage the account's wide reach to lure people into donating Bitcoin into a Bitcoin wallet owned by the fraudsters.

The hacking of Modi's Twitter account took place shortly after CERT-In, India's computer emergency response team, warned that hackers were targeting users of an email service for the Government of India (email.gov.in) that is used by ministers, bureaucrats, various functionaries, and the Prime Minister himself.

According to CERT-In, hackers were sending phishing emails to users of the email service, asking them to click on fake domains designed to mimic genuine government ones. The hackers used fake domains such as email-gov.in, emalegovin.webhostapp.com, and safebrowsinginddia.webhostapp.com to lure recipients into clicking on such links.

"The campaign often involves emails pretending to be from NIC asking users to "verify" their accounts or other such pretexts. The email contains a link to one of the spoofed websites which steal the user's login credentials.

"Further, it has been observed that successfully phished email accounts are then used to send malware-containing emails to other sensitive government organisations and users. These mails contain topical and context-aware content to lure the target into opening the malicious attachment, thus infecting the system. The malware can then create persistence inside the targeted organisations's network, and be used for various malicious activities such as stealing sensitive data," CERT-In added.

Latest hacking incident similar to the massive hack of Twitter accounts in July

The use of Modi's hacked Twitter account to ask his followers to donate Bitcoin to a certain wallet is very similar to the actions of a group of fraudsters who hacked the Twitter accounts of celebrities like Tesla CEO Elon Musk, former Microsoft boss Bill Gates, former U.S. President Barack Obama, Democratic candidate Joe Biden, Amazon CEO Jeff Bezos, Kanye West, and the official Twitter accounts of Apple and Uber in July.

Having gained control over these accounts, spammers proceeded to tweet Bitcoin exchange deals, asking Twitter users to send certain amounts of BTC to a specified wallet address and receive a large sum in return. Considering these offers came from global celebrities themselves, many Twitter users fell for it, transferring hundreds of thousands of pounds within a few hours before Twitter got the chance to sound an alarm, which it eventually did.

According to Twitter, the cyber criminals targeted Twitter employees- who had access to Twitter's account management tools- with a coordinated social engineering attack. The trick worked and within a short time, the spammers were controlling many highly-visible (including verified) Twitter accounts.

The attackers then proceeded to target additional employees who had access to Twitter's account support tools. After obtaining their credentials, they targeted 130 Twitter VIP accounts, accessed direct messages of 36 accounts, tweeted from 45 accounts, and downloaded the Twitter data from seven accounts.

"This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems. This was a striking reminder of how important each person on our team is in protecting our service," Twitter said.

Responding to the hacking of Modi's Twitter account, Twitter said it is "aware of this activity and have taken steps to secure the compromised account" and is actively investigating the situation.

Commenting on the latest hacking incident, Javvad Malik, Security Awareness Advocate at KnowBe4, said that if criminals gain access to social media accounts, particularly those with large influence, they can not only perpetrate fraud, such as asking unsuspecting followers to pay cryptocurrency under false pretences - but they can spread disinformation, lies, or social engineer others via private messages.

"It's therefore vitally important that organisations, vendors, and users, take all steps necessary to protect their social media accounts. For users, this includes, but is not limited to ensuring passwords are strong and not reused and enabling MFA where it is available. Additionally, users of social media accounts should be wary of links sent to them, or messages which are unexpected or appear out of the ordinary. Remaining vigilant online at all times is essential to help prevent being a victim of online scams, fraud, and even corporate espionage," he added.

Niamh Muldoon, Senior Director of Trust and Security at OneLogin, said that Twitter users considered “High-Value Targets” such as Modi, must stay security conscious around the clock and make decisions to protect themselves and limit their personal risk. After all, with such a public-facing user, the knock-on effects of a hack on a social media account could be potentially devastating, revealing sensitive direct message conversations, or tricking people into Bitcoin scams such as this.

"They can do this by actively making personal risk-based decisions when using social media services, either personally or via their social media teams. These decisions could include making sure they adhere to security best practices such as password hygiene, limiting access to their accounts to as few devices/individuals as possible, and applying two-factor authentication on all loops, tools, and logins," she added.

MORE ABOUT: