The Social Engineering Case of the Twitter Hack

 

This is Episode 1 of Security Bits.

On July 17, Billions of people woke up checking their favorite NEWS sources and social applications but about 400 of them fell for a scam on twitter. Famous people like Elon Musk, Jeff Bezos, Bill Gates and companies like The Cash App, Apple and several others including some politicians, they woke up with their personal or private twitter account being used by the attackers who had left a tweet on their behalf. Which basically claimed that these individuals or companies were feeling generous and were going to double your donation through Bitcoin transactions.

I want to speak a little more detail into how the attackers hacked these accounts, then discuss what was the result of such a attack and how significant it is for a company like Apple, Shell, Etc and also how it impacts you, your co-workers, your family and friends.

Prior to the attack on the 17th, the attackers had already infiltrated the Twitters internal systems by using a technique called Social Engineering. So, what is Social Engineering? It is the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. The key words here are “use of deception to manipulate individuals”. An example would be calling you and manipulating you to provide your social security number.

So the Twitter employees were trciked into providing their administrative crentials for twitters internal system such as their usernams and passwords.

After which the attackers disabled the protections on the Twitter Accounts such as 2 Factor Authentication, changed the owners email address on file to their own email address and simply reset the passwords and then logged into the accounts. Then sent a tweet and also downloaded their personal Twitter Account Data.

A total of 130 Twitter accounts were affected and this resulted in 400 induviduals sending bitcoins worth a total of $121,000 USD to three seperate Bitcoin accounts in less than 5 hours before Twitter locked down the accounts and deleted the tweets.

So what are the lessons learned from this attack?

  • Hacks does not have to be complex or technical.
  • Insider Threat is still one of top security risks in any industry.
  • While this attack did not cause any harm to human lives, there are other platforms which can affect and touch our basic needs such as Emergency services, Utilities etc.

I will leave you with couple of thoughts.
Smartphones and Cloud Applications have created tremondous possibiliies but unable to control these can set us back both financially and mentally.

Remember, even if you have not been on twitter or Facebook or LinkedIn or maps, your apps are constantly capturing anything that is useful from within your phones, your GPS Coordinates or your conversations and create a valuable resource for them to sell and if bad guys get hold of it then they can do the same.
You are not the customer, you are the product.

DK

Leave a Reply