Cybersecurity professionals are trying to piece together how several Twitter accounts of prominent personalities were compromised to engineer a brazen cryptocoin scam.
The verified Twitter accounts of high-profile people and companies, including Joe Biden, Elon Musk, Barack Obama, Bill Gates, Apple and many others were hacked Wednesday by unknown cybercriminals.
Those accounts and many others posted a message asking individuals to send bitcoin currency to a specific cryptocurrency wallet, with the promise that money sent would be doubled and returned.
The attack used a classic spearfishing attack technique to allow threat actors into the Twitter environment and access to specialised administrative tools that have unrestricted access to accounts, says Morey Haber, CTO & CISO at cybersecurity firm BeyondTrust. “While the attack itself is not special, nor some elaborate zero-day threat, the ramifications of personnel within Twitter having such tools and access to high profile accounts is a serious concern,” he adds.
Initial signs indicate that the individual(s) gained access to a Twitter “admin” tool on the company’s network that allowed them to hijack the accounts.
Appropriately-managed access controls for administrative or supervisory accounts can assist in preventing the escalation of privileges, or abuse of permissions, that this particular attack relied upon, says Francis Gaffney, director of Threat Intelligence and Response, Mimecast. “These need to change to prevent further successful attacks such as this one, that can have massive reputational damage for any company,” he adds.
Rogue insider or duped employee aside, the illegitimate use of administration tools by legitimate users is challenging to detect, which is why privileged access remains a critical attack vector in so many breaches. “Over the next few days, incident responders will be working hard to scope out the totality of the compromise and looking for any evidence of remote orchestration in case the attackers have been able to penetrate and gain persistence inside Twitter’s systems,” says Battista Cagnoni, senior consultant, Advisory Services at Vectra.
These types of scams will only succeed if people fall for their unlikely messages – which rely on people suspending their disbelief simply because the tweet comes from a celebrity or someone they are inclined to trust, notes Paul Ducklin, principal research scientist, Sophos.
“If a message sounds too good to be true, it is too good to be true,” says Ducklin. “If Musk, Gates, Apple, Biden, or any well-known person or company wanted to hand out huge amounts of money on a whim, they wouldn’t demand that you hand them money first. That’s not a gift, it’s a trick, and it’s an obvious sign that the person’s account has been hacked. If in doubt, leave it out,” he warns.
Unfortunately for the victims, Cryptocurrency transactions don’t have the legal protections that you get with banks or payment card companies. “Sending someone cryptocoins is like handing over banknotes to in an envelope – if they go to a crook, you will never see them again,” Ducklin says.