ANALYSIS: Social media ‘hacking’ disaster that happened to Twitter in mid-2020 is a wake-up call for us all.

In mid-June 2020, the Twitter accounts of numerous high profile politicians, celebrities and even leading US companies, posted rather peculiar tweets to their tens of millions of followers.

Any unsolicited request to transfer Bitcoin should always raise a red flag with internet users. Bitcoin is the favoured currency of hackers and scammers. But here we had billionaire philanthropists Mike Bloomberg and Bill Gates, the rapper Kanye West and even titans of industry like Uber and Apple wanting to “give back to the community” with generous bitcoin payments.

It seemed too good to be true – and it was. Twitter was compromised at a fundamental level  – and it wasn’t weak passwords or lax security on the part of those high profile people and organisations that saw their accounts hijacked. It was a critical weakness in Twitter’s own security policies.

“We detected what we believe to be a coordinated social-engineering attack by people who successfully targeted some of our employees with access to internal systems and tools,” Twitter explained on Friday, confirming that 130 people had their accounts exploited.

That sounds relatively minor. There wasn’t a lot of data stolen and the scam didn’t result in people being millions of dollars out of pocket as with ransomware attacks in the past. But remember that among that unfortunate group of exploited Twitter users were some of the most powerful and influential people in the world. Tweeting supposedly genuine messages from those accounts for malevolent purposes had the potential to do huge damage.

Getting to people

Social engineering. As online platforms and company networks are hardened against cyber attacks, hackers are having to get craftier to gain access to our online accounts, our sensitive data and our bank accounts.

The easiest way for them to do that is to exploit human nature. The key tool in their arsenal is the “phishing” attack, which can come in the form of an innocent-looking email, apparently sent from a colleague, asking for sensitive information to be revealed.  Twitter explained on its company blog how social engineering had played a role in the exploit.

“The attackers successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including getting through our two-factor protections,” the company explained.

“As of now, we know that they accessed tools only available to our internal support teams to target 130 Twitter accounts. For 45 of those accounts, the attackers were able to initiate a password reset, log in to the account, and send Tweets. We are continuing our forensic review of all of the accounts to confirm all actions that may have been taken. In addition, we believe they may have attempted to sell some of the usernames.”

This is likely how a scammer gained administrator’s access to Twitter’s system, allowing them to access and control multiple accounts unnoticed. The scenario could actually have been as simple as this: a scammer trawls LinkedIn for profiles of Twitter employees who have job titles indicating they work deep in the bowels of Twitter’s platform.

Then it sends those people emails, using masking techniques to make it appear as though they are genuine company emails asking for log-in details to be updated via a convenient web link embedded in the email.

It is an old trick in the cyber criminal’s handbook and it was hugely embarrassing for Twitter’s security to be undone with a simple phishing attack. But it goes to show how vulnerable your organisation can be, even with all the security bells and whistles. 

There is some suggestion that the exploit may actually have been an inside job, with an employee bribed into handing over access to the Twitter dashboard that allows admin staff to control individual accounts. If that’s the case, it is even more vexing for Twitter, having to re-evaluate the trust it has in the people who literally have the keys to its kingdom. As big tech companies, Facebook in particular, face a growing backlash from their own employees over their business activities and policies, the ’employee gone rogue’ scenario is likely to become more common.

Dollars and sense

Either way, the entry point was through exploiting human weakness. Someone was either too trusting, too stupid or too greedy and Twitter suffered major embarrassment as a result. In real terms, it wasn’t a devastating incident.

By tracking payments to the Bitcoin account that was listed for the requested US$2000 transfer, it is clear that only 400 Bitcoins were transferred by duped Twitter users, amounting to around $183,000. 

The scammers knew they had mere minutes, maybe an hour tops, before account owners and their Twitter followers flagged the suspicious activity.

It could have been much worse. Say, for instance, the scammer had political motives in mind and hijacked dozens of accounts to spread misinformation on the eve of the US Presidential election – perhaps something crafted to sow doubt in the minds of Joe Biden supporters. Biden’s account was among those hacked, along with that of Barack Obama, who has 130.6 million followers.

Such a ruse – an attempt at social engineering on a massive scale – could have a major impact on democracy itself, an issue social media companies should be particularly sensitive to in the run-up to any major election. As such, Twitter had many questions to answer about the integrity of its platform and what it planned to do to ensure the accounts of influential Tweeters couldn’t be hijacked on such a scale again.

Keep your eyes open

This was a wake-up call for all social media platform operators. They risk a huge backlash from users, politicians and regulators if they can’t ensure the security that is required in the fast-moving world of social media.

For the rest of us, it is another important reminder. We are all vulnerable to these social engineering attempts. Be very careful what links you click on in an email. Never give out sensitive information, such as user details, password and log-in information over email. Always check carefully the email addresses and domain names of websites you receive messages from or are directed to.

If you have multi-factor authentication (MFA), offered as a standard feature of Office 365, Gmail,  and other email and cloud services, as well as for online banking, make use of it. This will greatly lessen the chance of a rogue actor logging in with account information stolen from you.  

And lastly, if you ever see someone tweeting an appeal for you to send them Bitcoin, just block them and report the tweet to Twitter. It’s most likely a scam and probably not worth the risk.