searchtwitterarrow rightmail strokearrow leftmail solidfacebooklinkedinplusangle upmagazine plus
Help Net Security - Daily information security news with a focus on enterprise security.
Help Net Security - Daily information security news with a focus on enterprise security.
  • News
  • Features
  • Expert analysis
  • Videos
  • Reviews
  • Events
  • Whitepapers
  • Industry news
  • Product showcase
  • Newsletters
Zeljka Zorz
Zeljka Zorz, Editor-in-Chief, Help Net Security
July 31, 2020
Share

Twitter employees were spear-phished over the phone

Twitter has finally shared more details about how the perpetrators of the recent hijacking of high-profile accounts to push a Bitcoin scam managed to pull it off.

Twitter employees spear-phished

The way in

To pull off the attack, attackers had to obtain access to Twitter’s internal network AND specific employee credentials that granted them access to internal support tools.

“The social engineering that occurred on July 15, 2020, targeted a small number of employees through a phone spear phishing attack,” Twitter explained.

“Not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access our internal systems and gain information about our processes. This knowledge then enabled them to target additional employees who did have access to our account support tools.”

Effectively, the attackers exploited human nature/vulnerabilities. “This was a striking reminder of how important each person on our team is in protecting our service,” the company noted.

Twitter says that access to its internal account support tools is “strictly limited” and “only granted for valid business reasons”, but apparently the attackers had a sizeable number of possible targets to try their luck with, as over a thousand Twitter employees and contractors had access to internal tools.

What’s Twitter doing to prevent similar attacks in the future?

While Twitter has controls and processes in place to prevent and detect misuse, the company is working on making them better.

For the moment, they’ve “significantly limited” access to the internal tools and systems, and are accelerating several of their pre-existing security workstreams and improvements to their tools.

“We are also improving our methods for detecting and preventing inappropriate access to our internal systems and prioritizing security work across many of our teams. We will continue to organize ongoing company-wide phishing exercises throughout the year,” they added.

“Our investigation is ongoing, and we are working with the appropriate authorities to ensure that the people responsible for this attack are identified.

The attacker targeted 130 Twitter accounts in all, tweeted from 45 of them, accessed the DMs of 36, and downloaded Twitter data of 7 users.

The company has promised to publish a more detailed technical report on what occurred once the investigation is over.

UPDATE (July 31, 2020, 1:00 a.m. PT):

US authorities have arrested a 17-year-old teen from Tampa, Florida, who they believe is the mastermind behind the account hijacking/Bitcoin scam.

He will be charged with multiple counts of communication fraud, fraudulent use of personal information, organised fraud and access to computers or electronic devices without authority.

UPDATE (July 31, 2020, 9:35 a.m. PT):

Two additional individuals are being accused of having participated in the attack: Mason Sheppard, aka “Chaewon,” a 19-year-old from the UK, and Nima Fazeli, aka “Rolex,” 22, of Orlando, Florida.

More about
  • account hijacking
  • spear-phishing
  • Twitter
Share this

Featured news

  • As the anti-money laundering perimeter expands, who needs to be compliant, and how?
  • The future of vulnerability management and patch compliance
  • Attackers used malicious “verified” OAuth apps to infiltrate organizations’ O365 email accounts
Guide: How virtual CISOs can efficiently extend their services into compliance readiness

Sponsored

eBook: 4 ways to secure passwords, avoid corporate account takeover

Here’s the deal: Uptycs for all of 2023 for $1

2022 Cloud Data Security Report

Don't miss

Video walkthrough: Cybertech Tel Aviv 2023

Photos: Cybertech Tel Aviv 2023

As the anti-money laundering perimeter expands, who needs to be compliant, and how?

The future of vulnerability management and patch compliance

Attackers used malicious “verified” OAuth apps to infiltrate organizations’ O365 email accounts

Cybersecurity news
Help Net Security - Daily information security news with a focus on enterprise security.
© Copyright 1998-2023 by Help Net Security
Read our privacy policy | About us | Advertise
Follow us