Twitter hack: Staff tricked by phone spear-phishing scam

BBC Technology 31 Jul 2020 11:35
A four-part compiste shows Bill Gates, Kim Kardashian, the Twitter logo, and Joe BidenImage copyright Reuters

The unprecedented hacking of celebrity Twitter accounts this month was caused by human error and a spear-phishing attack on Twitter employees, the company has confirmed.

Spear-phishing is a targeted attack designed to trick people into handing out information such as passwords.

Twitter said its staff were targeted through their phones.

The successful attempt let attackers tweet from celebrity accounts and access their private direct messages.

The accounts of Microsoft founder Bill Gates, Democratic presidential hopeful Joe Biden and reality star Kim Kardashian West were compromised, and shared a Bitcoin scam.

It reportedly netted the scammers more than $100,000 (£80,000).

The attack has raised concerns about the level of access that Twitter employees, and subsequently the hackers, have to user accounts.

"Access to these tools is strictly limited and is only granted for valid business reasons," the company said.

Once the attackers had acquired user credentials to let them inside Twitter's network, the next stage of their attack was much easier.

By Joe Tidy, cyber-security reporter

Phonecall spear-phishing, commonly known as vishing, is bread and butter for the sort of hackers who are suspected of this attack.

Hacker to Twitter employee: "Hi, I'm new to the department and I've locked myself out of the Twitter internal portal, can you do me a huge favour and give me the login again?"

"This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems," the company said.

Media playback is unsupported on your device

Twitter did not state whether the attack involved voice calls, despite a previous report from Bloomberg stating that at least one Twitter employee was contacted by attackers through a phone call.

Phishing is most commonly done by email and text message, encouraging recipients to click on links that take them to websites with fake log-in screens.

Spear-phishing is a version of the scam targeted at one person or a specific company, and is usually heavily customised to make it more believable.

One victim whose account was compromised told the BBC there were several things Twitter could have done differently.

"They shouldn't give the ability to a single employee to remove both email address on file and two-factor authentication," they said.

"I understand why there's a need for this - for example if a dormant account has a very old email that's inaccessible and you've lost your phone or something- but it should require two employees to sign off."

They also said communication from Twitter was poor.

"It took 10 days to reset this account with no actual personal response from Twitter. I literally got a 'click here to continue' automated email from their system when they added my email back to the account to allow me to reset it - and it looked like a phishing email."

Continue reading original article...


TwitterKim Kardashian WestJoe TidyJoe BidenBill Gates
You may also like