Last Wednesday, July 15, 2020, several of the most influential accounts on Twitter, including Kim Kardashian, Bill Gates, Elon Musk and Barak Obama were compromised. The accounts repeatedly tweeted fraudulent messages encouraging people to send bitcoin payments to a particular address. At around the 2-hour mark, Twitter halted the messages by blocking all of the verified accounts from posting further tweets. Unfortunately, significant damage to the company’s reputation had already been caused. In premarket trading, the following day, Twitter endured a $1.3 Billion plunge (4%) in market value.
This past weekend, Twitter announced new findings regarding the hack. The hackers had accessed approximately 130 accounts and appear to have downloaded data from at least 8 of those accounts.
Up to this point, Twitter still has not publicly announced who may be responsible for the attack. Congressional lawmakers have sent questions to the organization demanding further details regarding the nature of the attack. As well, investigations have been launched by both New York state regulators and the FBI. Questions remain as to how the hackers gained access to the Twitter accounts, the motives behind the attacks and whether or not Twitter has remediated the vulnerabilities that lead to the attack.
Experts in cybersecurity are puzzled, recognizing that the hackers could have gained far more than the $100,000 stolen through bitcoin. There is further speculation that another attack may be imminent, as the facts don’t quite seem to add up.
What We Know
Nothing is certain, however, there are a few facts surrounding the specifics of the hack that may shed some light. First, experts can agree that hackers seized the accounts after gaining access to an internal dashboard which is exclusive to Twitter employees. The dashboard allegedly allowed hackers to take over accounts by replacing their associated email addresses without notifying the owner.
Last week, Twitter acknowledged that hackers had been targeting Twitter employees through a social engineering scheme in order to gain access to the internal dashboard, however, it remains unclear whether any Twitter employee was aware of the hacker’s intentions ahead of time. According to the company, several hundred employees maintain access to the dashboard, significantly improving an attacker’s odds of compromising at least one employee account.
Speculation and Uncertainty
Since the attack, reports have surfaced speculating on the level of sophistication of the hackers involved. According to the New York Times, the hack was likely carried out by a group of relatively young and unsophisticated hackers, with citations from interviews from people involved. This evidence follows Brian Krebs, from Krebs on Security, noting that one of the forum posts was traced back to a 21-year-old man from Britain.
To this point, there are many indications that this attack was executed by individuals who typically specialize in hijacking social media accounts with the use of “SIM swapping”, which is a particularly widespread form of cybercrime that usually involves bribing, hacking or otherwise coercing employees working at social media companies to gain access to a particular target’s accounts.
Twitter acknowledged the proliferation of a coordinated social engineering attack, targeting employees, early on in the investigation process stating that they locked down the seized accounts and removed the tweets immediately. The social media giant proceeded to advise they are looking into the activity and will share more as details become available.
In this day and age, it sounds almost juvenile that anyone would be fooled into falling for the ruse, however, in response to the tweets, a subsequent analysis of the BTC wallet indicates that over 383 transactions were processed over the course of the short time the tweets were active. The cumulative value of the processed transactions exceeds a value of over $100 thousand US, or approximately 17 BTC.
All things considered, perhaps the most disturbing fact that can be taken from all of this is that this attack was performed by alleged amateurs, driving home the fact that not all cybercrime requires elite level skill, execution or even state-level-sponsorship to inflict significant damage to even the largest of organizations. The questions on everyone’s mind should be, what if this attack was leveraged by more sophisticated attackers and further, if an organization with as much financial and organization prowess as Twitter is vulnerable to low-tier attacks, just how safe is any organization from these crimes?
Packetlabs Services: How can we help?
At Packetlabs, we believe in a proactive approach to security. With that in mind, it is important to recognize that all organizations are unique in their strengths and vulnerabilities. For this reason, the regular use of penetration testing and security maturity assessment is highly recommended in order to build a plan for the development of a strong security posture. Contact us today to learn how Packetlabs can help your organization put its best foot forward.