On Friday, the FBI, IRS, U.S. Secret Service and Florida law enforcement arrested 17-year-old Graham Clark of Tampa, Florida and accused the teen of being the “mastermind” behind the largest security and privacy breach in Twitter’s history. Two other individuals were also charged by the U.S. Department of Justice including 22-year-old Nima Fazeli of Orlando, and 19-year-old Mason Sheppard in the UK according to a report from The Verge.
It was also only Friday that the micro-blogging service finally addressed some questions about this month’s unprecedented spear phishing attack, which allowed hackers to tweet from some of its most high-profile accounts.
“The social engineering that occurred on July 15, 2020, targeted a small number of employees through a phone spear phishing attack,” Twitter announced via a blog post. “A successful attack required the attackers to obtain access to both our internal network as well as specific employee credentials that granted them access to our internal support tools. Not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access our internal systems and gain information about our processes.”
The social media company also admitted that a few of its employees were targeted in a phone spear phishing attack – potentially posing as colleagues or possibly members of the company’s security team.
The three hackers subsequently gained access to the Twitter accounts of former President Barack Obama, former Vice President Joe Biden, Microsoft founder Bill Gates, tech visionary Elon Musk and musician Kanye West among others as part of a huge bitcoin scam.
“This situation highlights the importance of cybersecurity cultural awareness within an organization’s end-user community,” warned Bill Santos, President & COO, Cerberus Sentinel. “The reality is you are only secure as your most naive employee, and constant training, testing, and reinforcement are the single most important action an organization can take to defend itself against these kinds of attacks.”
What is especially upsetting about this particular case is that Mr. Clark had already been in the crosshairs of law enforcement, and that highlights the fact that cyber crime still isn’t being taken seriously enough.
“As we’re learning, one of the young men arrested today was previously investigated back in April, and the Secret Service previously took 700K bitcoin from him,” explained Chloé Messdaghi, VP of Strategy at Point3 Security
The current Covid-19 pandemic, which has many individuals working remotely as well as many companies understaffed, has created a perfect storm for such attacks.
“We’re in a time when people are generally overwhelmed and attackers know this and are actively exploiting it,” added Messdaghi.
“That’s why we’re seeing a rise in mobile phishing in particular,” she noted. “Think about it: now more than ever, if someone gets a text on their mobile from a boss who doesn’t usually reach out that way, they’re likely to chalk it up to the interoffice lines of communications that have been blurred and rewritten by the pandemic. And if an employee is then asked by someone purporting to be their boss with a message saying ‘we have a serious problem’ and to please call a helpdesk number immediately, they’re more likely to comply before thinking things through – again, because the pandemic has made people overwhelmed and eager to respond to security threats.”
It is also true that while we’ve all been taught about the dangers of unsolicited email and our desktop/laptop computers are loaded with anti-virus/anti-malware software, our mobile phones are open gateways for bad actors.
“On top of that, mobile is a much better way to phish someone versus laptop computing – studies say that even well informed users are three times more likely to fall for a phishing link on a small screen vs. a desktop, because it’s harder visually and logistically to double check a link,” said Messdaghi.
She laid out some common phishing-through-mobile approaches, which include SMS messages that warn of a security situation or ask the recipient to ‘click here to validate’; URL padding, where a bad actor takes a legitimate domain and adds malicious extensions onto it; malicious Tiny URLs that take the unsuspecting recipient to an insecure and dangerous site; and mobile verification code scams.
“There needs to be a lot more conversations about mobile phishing in particular, and any phishing really,” added Messdaghi. “Rule number one: Always question everything you get, including and especially anything from your employer.”
Social Being Targeted
In this most recent attack the hackers used the Twitter accounts as part of a rather simple bitcoin scam, but what is worrisome is that it could have been used to impact the stock market, discredit individuals during an election year or even cause an international incident.
While this latest exploit may have cost some individuals money, the situation could have been far worse. The accessed accounts could have provided untold personal information, including those of contacts, to the hackers.
“Social media platforms like any other online service are vulnerable to data compromise or account impersonation from multiple vectors,” explained Santos.
“Trusting information posted on social media without independent verification is subject to manipulation by attackers whether through hacking or disinformation campaigns,” Santos added.
Fortunately attackers went for the proverbial low-hanging fruit.
“Cyber criminals are typically after monetary scams like the fraudulent bitcoin related tweets sent out during the recent Twitter hack, but they also routinely compromise ordinary accounts and send out messages asking their contacts for money by claiming to be the victim stuck in a foreign country,” said Santos. “Nation states continuously bombard social media with disinformation campaigns to further their own interests, whether that be garnering support for preferred policy initiatives or inciting social unrest by stoking fear and hate. As a rule, you should question any information presented over social media and seek outside confirmation before sending money or blindly believing narratives presented, especially if they seem designed to be inflammatory or upsetting.”