On Thursday morning, millions of Internet users all over the world woke up to the most audacious social engineering campaign ever. Right in front of their eyes, spammers hijacked the Twitter accounts of dozens of global celebrities, and live-tweeted bogus Bitcoin exchange deals with impunity.
The blatant social engineering tactic involved hackers taking over the Twitter accounts of Tesla CEO Elon Musk, former Microsoft boss Bill Gates, former U.S. President Barack Obama, Democratic candidate Joe Biden, Amazon CEO Jeff Bezos, Kanye West, and the official Twitter accounts of Apple and Uber, among others.
Having gained control over these accounts, spammers proceeded to tweet Bitcoin exchange deals, asking Twitter users to send certain amounts of BTC to a specified wallet address and receive a large sum in return. Considering these offers came from global celebrities themselves, many Twitter users fell for it, transferring hundreds of thousands of pounds within a few hours before Twitter got the chance to sound an alarm, which it eventually did.
"We are aware of a security incident impacting accounts on Twitter. We are investigating and taking steps to fix it. We will update everyone shortly. You may be unable to Tweet or reset your password while we review and address this incident," the social media giant tweeted around midnight.
Coordinated social engineering attack got the better of Twitter employees with access controls
As dawn broke over London, Twitter revealed what actually transpired on Wednesday night. Cyber criminals targeted Twitter employees- who had access to internal systems and tools- with a coordinated social engineering attack. The trick worked and within a short time, the spammers were controlling many highly-visible (including verified) Twitter accounts.
"Once we became aware of the incident, we immediately locked down the affected accounts and removed Tweets posted by the attackers. We also limited functionality for a much larger group of accounts, like all verified accounts (even those with no evidence of being compromised), while we continue to fully investigate this.
"We have locked accounts that were compromised and will restore access to the original account owner only when we are certain we can do so securely. Internally, we’ve taken significant steps to limit access to internal systems and tools while our investigation is ongoing. More updates to come as our investigation continues," the company added.
"Tough day for us at Twitter. We all feel terrible this happened. We’re diagnosing and will share everything we can when we have a more complete understanding of exactly what happened," tweeted Jack Dorsey, the CEO of Twitter.
Despite suffering the worst breach of user accounts in history, Just must be feeling relieved. If the people who carried out the attack were nation-state hackers and not fraudsters looking for a quick buck, the cyber attack could have compromised possibly every Twitter account out there, destroying the digital security and privacy of millions in a space of a few hours.
"This high-profile Twitter breach could be the result of a spray-and-pray spear-phishing campaign that landed some opportunistic cybercriminals the could potentially be the hack of the year for Twitter. They could have done potentially far more damage. Instead, by delivering a simple Bitcoin scam, we could be looking at attackers that wanted to quickly monetize their access, instead of a highly coordinated and sophisticated operation performed by an APT group," says Liviu Arsene, Global Cybersecurity Researcher at Bitdefender.
"This attack is unprecedently smart and coordinated, it will likely bring fruits to the hackers behind. This incident highlights the extreme fragility of the modern information space. In a similar disinformation campaign, nation-state actors may simply announce a military or nuclear incident and provoke national havoc, or spread fake news about rival business to ruin its stock price and then purchase it for pennies," warned Ilia Kolochenko, Founder & CEO of ImmuniWeb.
Breach of user accounts raises questions about Twitter's security controls and policies
The fact that spammers were able to victimize Twitter employees with access to internal tools and controls and gained access to verified accounts raises many questions on how Twitter secures its keys, educates its employees, and protects the accounts of millions of users worldwide.
"The reports that employees who had access to internal tools and systems got compromised raises questions whether Twitter protects privileged access with sufficient security controls such as a strong Privileged Access Solution," says Joe Carson, Chief Security Scientist at Thycotic.
"Employees who have access to systems or tools that could abuse Twitter accounts should have strong security controls such as Multi-Factor Authentication, Access Workflows, Sessions Recording, Automated Rotation of privileged accounts passwords and additional authorization controls," he adds. The fact that the social engineering attack succeeded, indicates that Twitter may not have introduced some of these controls.
"The failure of multi-factor authentication for the Twitter accounts demonstrates that admin credentials were not safeguarded in an appropriate way. Account access for social media accounts, including privileged access, needs to be secured just as strongly as for other accounts that manage sensitive corporate data and enterprise systems. This news demonstrates the importance of privileged access management on systems and accounts that many do not consider critical enough to protect," says Todd Peterson, IAM evangelist at One Identity.
Companies must introduce robust security tools to negate the chances of human error
The data security incident suffered by Twitter puts into context how essential it is for companies to implement adequate security controls such as privileged access management and multi-factor authentication in order to negate the human factor which is the primary target of social engineering attacks.
"Social engineering attacks are usually quite sophisticated, and can involve substantial pattern-of-life analysis, including research of the target to craft specific bespoke lures, such as websites and tailored emails - referred to as pattern-of-life-analysis.
"The threat actor studies the target’s online presence, including their use of social media, to identify social and family networks, favourite restaurants, hobbies, sporting or musical interests. The majority of these attacks are carried out for financial gain, as is the case with this one," says Dr Francis Gaffney, Director of Threat Intelligence at Mimecast.
"Human error is required for these attacks to be successful, which highlights the importance of regular cyber awareness training to increase employees’ knowledge about such methodologies used by threat actors. Our State of Email Security report found 56% of organisations do not provide awareness training on a frequent basis, leaving businesses increasingly vulnerable.
"At the same time, appropriately managed access controls for administrative or supervisory accounts can assist in preventing the escalation of privileges, or abuse of permissions, that this particular attack relied upon. These need to change to prevent further successful attacks such as this one, that can have massive reputational damage for any company," he adds.