At 4:17 PM Eastern Time last Wednesday, July 15, a malicious tweet was posted on the Twitter account of Tesla and SpaceX CEO Elon Musk, saying that all payments sent to the accompanying Bitcoin address linked on the tweet will be given back to the sender for double the amount.
The post was then followed by multiple tweets with the same instructions coming from other “verified accounts” owned by various personalities and brands, including but not limited to Amazon CEO Jeff Bezos, Kanye West, Wiz Khalifa, Warren Buffet, Joe Biden, Apple, Uber and even former US President Barack Obama. The compromised users denied posting those tweets and even said their accounts are secured with two-factor authentication.
In what seems just an elaborate scam to trick users into sending their money through Bitcoin, the person or people behind the attacks have so far collected nearly USD $120,000. The social media platform responded to the issue by restricting the affected verified accounts (which has now been lifted at the time of writing), limiting some functionalities and locking the compromised accounts altogether, until Twitter’s team had finished its investigation.
In response, @TwitterSupport released the following statement. “We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools”.
The hackers behind the attack showed screenshots of these internal tools and panels which they gained access to compromised Twitter employees working on the backend. The screenshots were also posted on the social media platform, but Twitter deleted these posts for violating their rules.
To gain more insight into the incident, CSA has reached out to various experts from cybersecurity firms in the region. Here are their takes and perspectives as to what really happened and how this threat can be avoided in the future.
Morey J. Haber, CTO/CISO of BeyondTrust, cited the serious concern regarding the amount of authority or tools an employee has when it comes to controlling a Twitter account. He added that the attack on the Twitter verified accounts used a classic spear-phishing attack technique to allow threat actors into the Twitter environment and access to specialised administrative tools that have unrestricted access to accounts. This technique may be targeted to specific employees, using malicious emails to gain the credentials to access the necessary system to conduct the attacks.
However, Stas Protassov, Co-founder and Technology President of Acronis, believes that the incident is too well-prepared to be just a cryptocurrency scam.
"This was a case of human failure - as a company with offices all around the world, including Singapore, Twitter has a lot of housekeeping to do. And we believe there is a bigger play at hand. The attackers could have gained access to highly confidential DMs and private info of their high-profile targets - and used the scam as a power tool, to prove they had the info,” Protassov explained.
According to him, the scam itself isn’t the ultimate goal, just a distraction and the full impact of the incident on the compromised accounts and Twitter itself is yet to be seen. The attackers chose high-profile accounts for their attacks because of users’ visibility, and the scam is just the start of what is to come.
To prevent such incidents, he suggested a combination of approaches that include two-factor authentication, workstation patching and hardening and mentioned that there is a whole methodology on privileged workstation security. “It's quite troublesome to follow. That's why, sadly, many companies simply skip it,” he added.
Mentioning how such preventive measures were bypassed, Michael Borohovski, Director of Software Engineering at Synopsys Software Integrity Group, stated that it is highly likely that the attackers were able to hack into the backend or service layer of the Twitter application. He added that if the hackers do have access to the backend of Twitter, or direct database access, there is potentially nothing stopping them from stealing data in addition to using this tweet-scam as a distraction, albeit a very profitable one.
Tim Mackey, Principal Security Strategist at the Synopsys Cybersecurity Centre, urged businesses to take note of what happened to Twitter and to strengthen their security measures. He said that companies should ask if certain employees have the ability to edit user data as if they were users, and if so, how would someone conducting a forensic analysis differentiate between legitimate edits and those of a malicious actor who was impersonating an employee.
As for the ordinary users of the platform, he said that it’s best to wait for the Twitter team to disclose when they are confident the attackers haven’t left any rogue software behind.
To avoid falling into such attacks or scams, Paul Ducklin, Principal Research Scientist at Sophos¸ gave the following tips and know-hows:
If a message sounds too good to be true, it IS too good to be true. If any well-known person or company wanted to hand out huge amounts of money, they wouldn’t demand that you hand them money first. If in doubt, leave it out.
Cryptocurrency transactions don’t have the legal protections that you get with banks or payment card companies. There is no fraud reporting service or transaction cancellation in the world of cryptocurrency. Sending someone crypto coins is like handing over cash to a stranger in an envelope. So if in doubt, don’t send it out.
Look out for any and all signs that a message might not be real. Crooks don’t have to make spelling mistakes or get important details wrong, but often they do. So if they do make a blunder, don’t let them get away with it. Treat it with doubt unless everything checks out.
Dmitry Bestuzhev, Cybersecurity Expert at Kaspersky, stated that to maximise the protection of your account in social media, keep in mind that your passwords should be strong and unique for each one of your accounts on various platforms. He also suggested using two-factor authentication, when login and password need to be confirmed by entering a special code. Another security measure that needs to be taken is a thorough review of the apps that have access to your account. On Twitter, they can be found in the settings. Bestuzhev recommended revoking access for these external parties so that in case they get hacked, your account would not be affected.