Twitter employees were spear-phished over the phone

Twitter has finally shared more details about how the perpetrators of the recent hijacking of high-profile accounts to push a Bitcoin scam managed to pull it off.

The way in

To pull off the attack, attackers had to obtain access to Twitter’s internal network AND specific employee credentials that granted them access to internal support tools.

“The social engineering that occurred on July 15, 2020, targeted a small number of employees through a phone spear phishing attack,” Twitter explained.

“Not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access our internal systems and gain information about our processes. This knowledge then enabled them to target additional employees who did have access to our account support tools.”

Effectively, the attackers exploited human nature/vulnerabilities. “This was a striking reminder of how important each person on our team is in protecting our service,” the company noted.

Twitter says that access to its internal account support tools is “strictly limited” and “only granted for valid business reasons”, but apparently the attackers had a sizeable number of possible targets to try their luck with, as over a thousand Twitter employees and contractors had access to internal tools.

What’s Twitter doing to prevent similar attacks in the future?

While Twitter has controls and processes in place to prevent and detect misuse, the company is working on making them better.

For the moment, they’ve “significantly limited” access to the internal tools and systems, and are accelerating several of their pre-existing security workstreams and improvements to their tools.

“We are also improving our methods for detecting and preventing inappropriate access to our internal systems and prioritizing security work across many of our teams. We will continue to organize ongoing company-wide phishing exercises throughout the year,” they added.

“Our investigation is ongoing, and we are working with the appropriate authorities to ensure that the people responsible for this attack are identified.

The attacker targeted 130 Twitter accounts in all, tweeted from 45 of them, accessed the DMs of 36, and downloaded Twitter data of 7 users.

The company has promised to publish a more detailed technical report on what occurred once the investigation is over.

UPDATE (July 31, 2020, 1:00 a.m. PT):

US authorities have arrested a 17-year-old teen from Tampa, Florida, who they believe is the mastermind behind the account hijacking/Bitcoin scam.

He will be charged with multiple counts of communication fraud, fraudulent use of personal information, organised fraud and access to computers or electronic devices without authority.

UPDATE (July 31, 2020, 9:35 a.m. PT):

Two additional individuals are being accused of having participated in the attack: Mason Sheppard, aka “Chaewon,” a 19-year-old from the UK, and Nima Fazeli, aka “Rolex,” 22, of Orlando, Florida.