UPDATE: Twitter has released new details about this attack, including that it was the result of spear phishing.
Two weeks ago, the Twitter accounts of several high-profile figures, including Microsoft’s co-founder Bill Gates and Tesla CEO Elon Musk, were hacked in a Bitcoin scam.
The attack, which has been described as the biggest hack in the social media platform’s history, compromised 130 accounts, including 45 that send a tweet claiming that anyone who transferred money to a linked Bitcoin address could double their investment.
The scammers behind the operation tricked 398 people into handing over more than £109,000 in bitcoins.
What went wrong?
Twitter described the incident as a “coordinated social engineering attack” against employees with access to its internal tools.
It later clarified that it was a spear phishing attack conducted over the phone (also known as ‘vishing’).
“A successful attack required the attackers to obtain access to both our internal network as well as specific employee credentials that granted them access to our internal support tools,” it explained.
“Not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access our internal systems and gain information about our processes.
“This knowledge then enabled them to target additional employees who did have access to our account support tools.”
The attackers initially targeted cryptocurrency accounts, such as Binance, Bitcoin, Coinbase, CoinDesk, Gemini and Ripple, which were all hacked with the same message:
We have partnered with CryptoForHealth and are giving back 5000 BTC to the community.
The tweet contained a link to a phishing website that has since been taken down.
It’s not yet clear who is responsible for the attack, although the BBC reported that cryptoforhealth.com is registered to the email address firstname.lastname@example.org.
The name used to register the site was ‘Anthony Elias’, although this is probably a pseudonym and a play on “an alias”.
CryptoForHealth is also a registered username on Instagram, and appears to have been set up at around the same time as the attack.
After the attacks were detected, the Instagrammer posted a message that said: “It was a charity attack. Your money will find its way to the right place.”
The attackers soon moved from hijacking cryptocurrency accounts to those of public figures.
An errant tweet from Bill Gates’s account read: “Everyone is asking me to give back. You send $1,000, I send you back $2,000”.
Elon Musk appeared to make a similar offer, as his Twitter account proclaimed that he was “feeling generous because of Covid-19” and that he promised to double any Bitcoin payment made to a linked digital wallet “for the next 30 minutes”.
Likewise, Apple’s official Twitter account endorsed Bitcoin with this message:
Other celebrities whose accounts were hacked included Kanye West, Kim Kardashian West, Barack Obama, Mike Bloomberg and current Democratic presidential nominee Joe Biden.
The tweets were all deleted minutes after they were posted.
Although Twitter has been mired in many, many security issues over the years, it would be harsh to place too much blame on the social media giant in this case.
Unlike the majority of its past failings, which have generally been the result of privacy issues, this attack began with social engineering, which is notoriously hard to prevent.
Organisations should always train their staff to detect phishing and other scams, but it only takes one mistake to put the whole company at risk – although in this case the breach also compromised users directly.
Although Twitter wasn’t able to prevent the attack, it demonstrated its ability to detect the incident promptly and respond efficiently.
In a series of posts, Twitter explained that it had prevented further fraudulent messages by stopping many verified accounts from tweeting, blocking requests to reset passwords and disabling other account functions that could be abused.
It added that the organisation had “taken significant steps to limit access to internal systems and tools while our investigation is ongoing.”
Twitter Chief Executive Jack Dorsey tweeted later: “Tough day for us at Twitter. We all feel terrible this happened.”
By 00:30 GMT on Thursday, users with verified accounts were again able to send tweets, but Twitter said it was still working on a fix.
See the benefits of staff awareness training
This incident is just one of many that have taken place during the coronavirus pandemic, a time in which criminals have ruthlessly exploited the disruption organisations have faced.
Although lockdown is easing, plenty of employees will continue to work from home on a part- or full-time basis, and it’s your responsibility to ensure they understand the dangers that come with that.
Our Cyber Security for Remote Workers Staff Awareness E-learning Course teaches you everything you need to know, from how to spot phishing scams to the ways shared Wi-Fi can be exploited.
We’re currently offering a free two-week trial of this course, so you can see exactly how it benefits you and your staff. Simply add the number of corporate licences you require to your basket and proceed to checkout.