Bill Gates, Elon Musk, and Barack Obama were among the slew of verified accounts with millions of followers involved in what Mikko Hypponen, F-Secure’s Chief Research Officer, calls “the biggest security breach in Twitter’s history.” And the next attack could be much worse.
By targeting Twitter employees, a hacker apparently gained access to the site’s admin tool. With that authority, the attacker locked the owners out of their accounts and then began tweeting bitcoin scams from some of the site’s most prominent users.
Twitter engaged in multiple measures to contain the attacks, including some that were apparent to the public such as preventing all verified accounts from tweeting for a brief period of time and breaking any links that seem to be connected to bitcoin.
“The way this hack was done also means that there’s nothing any users could have done to prevent it from happening,” Mikko said. “Regardless, it’s always a good idea to lock down our accounts.”
He recommends picking strong, unique passwords via a password manager, activating two-factor authentication and using a unique email address for important accounts.
“And remember to monitor your account for weird activity. Especially pay attention if you get an email about unusual access, attempts to change your email address or disable two-factor authentication, or just if you see repeated failed logins.”
You can access your Twitter account’s security settings here.
A two-pronged social engineering attack
The hacker used well-known social engineering tactics both to get inside Twitter’s systems and the execution of the scam.
“In part one of the Twitter social engineering attack, a member of Twitter’s staff with access to internal systems was somehow manipulated in to allowing an external attacker to temporarily take over a number of high-profile accounts,” said Vic Harkness of F-Secure Consulting. “The accounts being targeted by the attacker were clearly calculated.”
Choosing personalities known for their insight into digital technology added legitimacy to the scam and enabled attacker’s goal: scamming Twitter users in to sending bitcoin.
“Phase two of the attack leveraged several common social engineering tactics. In addition to attaching well-known public figures to the scam to add legitimacy, they also made use of pressure tactics—by stating the deal would only be open for the next 30 minutes—and honeypot tactics to appeal to the desires of users the potential for financial gain.”
Andy Patel, senior researcher in F-Secure’s Artificial Intelligence Center of Excellence, believes that these tactics were the work of the CryptoTwitter Bois who “are known for creating and boosting fake accounts that look identical to celebrities and then using those accounts to pull off scams.”
We got lucky this time
Vic notes that the attacker could have made far more money by manipulating the prices of stocks. But, the ~$100,000 the attack reportedly yielded is far more than the ~$7,700 possible for reporting this vulnerability directly to Twitter.
However, F-Secure’s experts suggest that the bigger risk in a future attacks is Twitter’s outsized role in messaging around electoral politics.
“The attackers had access to everything,” Mikko said. “They could have done anything on Twitter. They could have started tweeting weird things in the names of the U.S. Presidential candidates during the voting this November, for example.”
And while Twitter may be the favorite social media platform of the current president of the United States, there are even bigger targets for ambitious attackers.
“In the end, this could have been much worse,” he said. “Twitter is big and important people have large amounts of followers there – but even Snapchat and Reddit have more users than Twitter. The real gorillas in social media are Instagram, Youtube and Facebook.”